Access Control for Google Cloud Pub/Sub


#1

I have successfully built a Proof of Concept to publish a Google Cloud Pub/Sub message sent from a Particle device (Argon in this case).

Argon.publish("my-topic","my-data",PRIVATE) -> 
Particle Cloud -> 
Google Cloud Pub Sub -> 
Firebase Functions ->
Firebase database

This scenario is exactly why I chose Particle boards over less feature-rich boards like Arduino . Thank you.

Problem: I want to restrict publishing to a specific account.

I have two Particle Accounts (say A & B). I only want account A to be able to publish to the topic, however, both A & B can publish. This also means anyone with a Particle account can publish to my topic.

Probable Cause: I granted publish access to a shared “public” Google Cloud service account per these instructions.

Once created, check the checkbox next to your topic name, and click on the “Permissions” button. Then, in the “Add members” box, paste in particle-public@particle-public.iam.gserviceaccount.com. Choose Pub/Sub Publisher from the the “Select a role” dropdown. When you’re done, click “Add.” Congrats, you’re all done!

Current Security: Hide the topic from others so they don’t know it exists. Not acceptable.

Possible Solution: Authorize my Particle cloud account to use a Google Cloud Service account that I create. I grant that service with publish rights in the google cloud, rather than particle-public@particle-public.iam.gserviceaccount.com.

Any guidance on existing features I am missing or future enhancements I can track is appreciated.

Thanks, Aaron