Stay organized with collections
Save and categorize content based on your preferences.
This document describes the access control options for Pub/Sub Lite.
Pub/Sub Lite uses Identity and Access Management for access control.
To give a user or application access to Pub/Sub Lite resources, grant
at least one predefined or custom role to
the user or the service account that the application uses. The roles include
permissions to perform specific actions on Pub/Sub Lite resources.
Predefined roles
The following table lists the predefined roles that give you access to
Pub/Sub Lite resources:
Role
Title
Description
Permissions
roles/pubsublite.admin
Pub/Sub Lite Admin
Full access to Lite topics and Lite subscriptions.
pubsublite.*
roles/pubsublite.editor
Pub/Sub Lite Editor
Modify Lite topics and Lite subscriptions, publish message to Lite topics, and
receive messages from Lite subscriptions.
pubsublite.*
roles/pubsublite.publisher
Pub/Sub Lite Publisher
Publish messages to Lite topics.
pubsublite.topics.getPartitions
pubsublite.topics.publish
pubsublite.locations.openKafkaStream
roles/pubsublite.subscriber
Pub/Sub Lite Subscriber
Receive messages from Lite subscriptions.
pubsublite.operations.get
pubsublite.subscriptions.getCursor
pubsublite.subscriptions.seek
pubsublite.subscriptions.setCursor
pubsublite.subscriptions.subscribe
pubsublite.topics.computeHeadCursor
pubsublite.topics.computeMessageStats
pubsublite.topics.computeTimeCursor
pubsublite.topics.getPartitions
pubsublite.topics.subscribe
pubsublite.locations.openKafkaStream
roles/pubsublite.viewer
Pub/Sub Lite Viewer
View Lite topics and Lite subscriptions.
pubsublite.operations.get
pubsublite.operations.list
pubsublite.subscriptions.get
pubsublite.subscriptions.getCursor
pubsublite.subscriptions.list
pubsublite.topics.get
pubsublite.topics.getPartitions
pubsublite.topics.list
pubsublite.topics.listSubscriptions
Custom roles
Custom roles can include any permissions that you specify. You can create custom
roles that include permissions to perform specific administrative operations,
like updating Lite topics or deleting Lite subscriptions. To create custom
roles, see Creating and managing custom
roles.
The following table lists examples of custom roles:
Description
Permissions
Create and manage Lite reservations.
pubsublite.reservations.create
pubsublite.reservations.update
pubsublite.reservations.get
pubsublite.reservations.list
pubsublite.reservations.delete
Create and manage Lite topics.
pubsublite.topics.create
pubsublite.topics.update
pubsublite.topics.get
pubsublite.topics.getPartitions
pubsublite.topics.list
pubsublite.topics.listSubscriptions
pubsublite.topics.delete
Create and manage Lite subscriptions.
pubsublite.subscriptions.create
pubsublite.topics.subscribe
pubsublite.subscriptions.update
pubsublite.subscriptions.get
pubsublite.subscriptions.list
pubsublite.subscriptions.delete
Create Lite topics and Lite subscriptions.
pubsublite.topics.create
pubsublite.subscriptions.create
pubsublite.topics.subscribe
Modify Lite topics and Lite subscriptions.
pubsublite.topics.update
pubsublite.subscriptions.update
Delete Lite topics and Lite subscriptions.
pubsublite.topics.delete
pubsublite.subscriptions.delete
Granting roles
You can grant roles to access Pub/Sub Lite resources at the project
level. For example, you can give a service account access to view any Lite topic
in a project, but you can't give a service account access to view a single Lite topic.
To grant a role on a project, you can use the Google Cloud console or the
Google Cloud CLI.
Console
To grant a role to a user, service account, or other member, follow these
steps:
You can also get a JSON or YAML file with the current IAM
policy, add multiple roles or members to the file, and then update the policy.
To read and manage the policy, use the Google Cloud CLI, the IAM API,
or the IAM. For details, see Controlling access
programmatically.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Access control with IAM\n\n| **Note:** Pub/Sub Lite is deprecated. Effective March 18, 2026, Pub/Sub Lite will be turned down. \n|\n| - Current customers: Pub/Sub Lite remains functional until March 18, 2026. \n| If you have not used Pub/Sub Lite within the 90-day period preceding July 15, 2025 (April 15, 2025 - July 15, 2025), you won't be able to access Pub/Sub Lite starting on July 15, 2025.\n| - New customers: Pub/Sub Lite is no longer available for new customers after September 24, 2024.\n|\n| You can migrate your Pub/Sub Lite service to\n| [Google Cloud Managed Service for Apache Kafka](/pubsub/lite/docs/migrate-pubsub-lite-to-managed-service-for-apache-kafka)\n| or [Pub/Sub](/pubsub/lite/docs/migrate-pubsub-lite-to-pubsub).\n\nThis document describes the access control options for Pub/Sub Lite.\nPub/Sub Lite uses [Identity and Access Management](/iam/docs) for access control.\n\nTo give a user or application access to Pub/Sub Lite resources, grant\nat least one [predefined](#predefined_roles) or [custom](#custom_roles) role to\nthe user or the service account that the application uses. The roles include\npermissions to perform specific actions on Pub/Sub Lite resources.\n\nPredefined roles\n----------------\n\nThe following table lists the predefined roles that give you access to\nPub/Sub Lite resources:\n\nCustom roles\n------------\n\nCustom roles can include any permissions that you specify. You can create custom\nroles that include permissions to perform specific administrative operations,\nlike updating Lite topics or deleting Lite subscriptions. To create custom\nroles, see [Creating and managing custom\nroles](/iam/docs/creating-custom-roles).\n\nThe following table lists examples of custom roles:\n\nGranting roles\n--------------\n\nYou can grant roles to access Pub/Sub Lite resources at the project\nlevel. For example, you can give a service account access to view any Lite topic\nin a project, but you can't give a service account access to view a single Lite topic.\n\nTo grant a role on a project, you can use the Google Cloud console or the\nGoogle Cloud CLI. \n\n### Console\n\nTo grant a role to a user, service account, or other member, follow these\nsteps:\n\n1. In the Google Cloud console, go to the IAM page.\n\n[Go to IAM](https://console.cloud.google.com/iam-admin)\n\n1. Click **Add**.\n\n2. Enter the email address of a user, service account, or other member.\n\n3. Select a role.\n\n4. Click **Save**.\n\n### gcloud\n\nTo grant a role to a user, service account, or other member, run the\n[`gcloud projects\nadd-iam-policy-binding`](/sdk/gcloud/reference/projects/add-iam-policy-binding)\ncommand: \n\n```bash\ngcloud projects add-iam-policy-binding PROJECT_ID \\\n--member=MEMBER \\\n--role=ROLE_ID\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eMEMBER\u003c/var\u003e: an [identifier for the\n member](/iam/docs/reference/rest/v1/Policy#Binding), like `serviceAccount:test123@example.domain.com`\n- \u003cvar translate=\"no\"\u003eROLE_ID\u003c/var\u003e: the name of the [predefined](#predefined_roles) or [custom](#custom_role) role\n\nYou can also get a JSON or YAML file with the current IAM\npolicy, add multiple roles or members to the file, and then update the policy.\nTo read and manage the policy, use the Google Cloud CLI, the IAM API,\nor the IAM. For details, see [Controlling access\nprogrammatically](/iam/docs/granting-changing-revoking-access#programmatic).\n\nWhat's next\n-----------\n\n- Get an [overview of IAM](/iam/docs/overview).\n- Refer to the [authentication methods that Pub/Sub Lite\n supports](/pubsub/lite/docs).\n- Learn more about [managing access to\n resources](/iam/docs/granting-changing-revoking-access)."]]
