Workspace Events for Google Chat to Pub/Sub: which principal needs Pub/Sub Publisher for a Chat add-on app?

Google Workspace Developers Q&A
, , ,
1

I’m trying to set up passive ingestion of communications from selected internal Google Chat spaces, without requiring @mentions, for processing by an internal OpenClaw-based AI operations system.

I want to use the sanctioned Google path:

  • Google Workspace Events API
  • Google Chat events
  • Pub/Sub delivery
  • internal/private only
  • no UI scraping

Use case:

  • passively consume all messages from selected Chat spaces
  • no @mention required
  • downstream processing by our internal system
  • private/internal deployment only

Current setup:

  • Chat app type: Google Workspace add-on that extends Chat
  • Workspace Events subscription target: //chat.googleapis.com/spaces/SPACE_ID_REDACTED
  • Pub/Sub topic: projects/PROJECT_ID_REDACTED/topics/chat-space-events-v2

What works:

  • Chat API enabled
  • Chat app configured and live
  • user OAuth subscription creation path works up to topic validation
  • Chat app auth path also works after admin approval for:
    https://www.googleapis.com/auth/chat.app.messages.readonly
  • request body is accepted far enough to validate Pub/Sub topic access

Subscription request body:

{
  "targetResource": "//chat.googleapis.com/spaces/SPACE_ID_REDACTED",
  "eventTypes": [
    "google.workspace.chat.message.v1.created",
    "google.workspace.chat.message.v1.updated",
    "google.workspace.chat.message.v1.deleted"
  ],
  "notificationEndpoint": {
    "pubsubTopic": "projects/PROJECT_ID_REDACTED/topics/chat-space-events-v2"
  },
  "payloadOptions": {
    "includeResource": true
  }
}

Current blocker:
Workspace Events returns:
`INVALID_PUBSUB_TOPIC`
with the message:
“You don’t have permission to access Pub/Sub topic …, or the topic doesn’t exist.”

What I have already verified:
- topic exists
- fresh new topic also fails
- topic IAM includes `roles/pubsub.publisher` for the Google Workspace add-on service account shown on the Chat API config page
- Chat app auth is working with the approved `chat.app.messages.readonly` scope

Docs seem to say:
- for a Google Workspace add-on that extends Chat, use the service account shown on the Chat API configuration page
- for Chat API interaction events, use `chat-api-push@system.gserviceaccount.com`

Question:
For a Google Workspace add-on that extends Chat, creating Google Workspace Events subscriptions for Chat message events delivered to Pub/Sub, which exact principal must have `roles/pubsub.publisher` on the Pub/Sub topic?

Secondary question:

Is there any additional requirement or limitation for passive Chat space event subscriptions in this app mode that is not obvious from the docs?

2 Likes