Is there a way I can grant a service account access permission for subscription/num_outstanding_messages of subscription? Instead of granting the permission to whole project of the subscription belongs to, I just want to grant permission for access the subscription only.
I can't find the answer from the documents: https://cloud.google.com/pubsub/docs/monitoring
The monitoring.timeSeries.list permission acts on the project level (doc), so you can't only give permission to get stats on one subscription in a project.
It is possible to have subscriptions in a different project from the topic (so long as the creator has projects.subscriptions.create perm in both projects) and even for an app to fetch from a subscription from a different project that the app runs in (so long as the app has projects.subscriptions.pull). This does allow you to achieve what you want, here are some possible set-ups: