Great to be here, wish it was to answer and not ask , here goes.
Trying to link up some Pub/Sub notification channels to an alerting policy named alerts. I’ve managed to run some troubleshooting in terminal. Ran Results in <etag: ACAB>
Now, I do know this means policies are not properly bound, but the following screenshots have me confused as to whether it is improperly bound.
Noted problem in 1. Seems to be fixed in screenshot 2, is not apparently, could use some assist/explanation! Much thanks!
As the message says on the screenshot one, you need to grant the pubsub.publisher permission to the service account. I would like to share this documentation 1 with you, that will help you to understand IAM usage in pub/sub.
It turns out that configuration was correct, but the warning was still present. I will mark your response as the solution because it is a good suggestion/observation. What does etag: ACAB mean? I saw that it meant no permissions, but I think it might be along the lines of Linux-style permission display (i.e. where 777 is the keys to the kingdom).
AFAIK, the ACAB etag usually shows when the policy is empty. Since you’re getting the policy at the resource level (at the pubsub topic level), this has no specific permissions. The permissions are defined in the parent level. If you check any empty permissions, usually the etag will be ACAB (i.e. the initial empty permission set). Once it’s changed, the etag will change too, even if reverted back to no permissions.
The permissions are correct in this situation because they’re defined at the parent, and the child resource inherits the permissions. I guess the warning will be there to remind you to not remove those permissions, or to set them at the topic level as redundancy (although I don’t recommend that).
If the service account was not given permissions at the parent level (i.e. if it was from another project), then you would have to define it at the resource (topic) level to avoid giving too many permissions (so it only has permissions on that topic and not all topics in the project).
, here goes.
