Thank you for the reply. We have a custom service account used with the cloud function, and we apply roles directly to that service account.
All of this is taking place in the same project (i.e. no cross-project interactions).
What’s odd to me is that the logs seem to show that the service account has permission (granted=true), but the action of creating a subscription is ultimately denied. Do you know why this is?
"authorizationInfo": [
{
"resource": "projects/<redacted>",
"permission": "pubsub.subscriptions.create",
"granted": true,
"resourceAttributes": {}
}
],