I'm trying to follow these instructions, https://cloud.google.com/pubsub/docs/dead-letter-topics#assigning_the_publisher_role, to grant Pub/Sub permission to publish messages to a dead-letter queue, but I'm encountering a PERMISSION_DENIED
gcloud pubsub topics add-iam-policy-binding my-dead-letter-topic --member="serviceAccount:$PUBSUB_SERVICE_ACCOUNT" --role="roles/pubsub.publisher"
ERROR: (gcloud.pubsub.topics.add-iam-policy-binding) PERMISSION_DENIED: User not authorized to perform this action.
Helpfully, the Google Cloud console shows that I need the pubsub.topics.setIamPolicy
My question is: how would I go about acquiring that permission? Would I have to be a project IAM admin (cf. You need permissions for this action. Required permission(s): resourcemanager.projects.setIamPolicy)?
Yes, exactly. You'll need to be assigned one of the roles that contains the resourcemanager.projects.setIamPolicy
permission. As you pointed out, the answer to You need permissions for this action. Required permission(s): resourcemanager.projects.setIamPolicy outlines the different role options.
Project IAM Admin is recommended because it's the most specific role you can be granted to be able to set the IAM policy.