We’ll that would be nice but the next line in the log, which I didn’t copy, was that same ‘forbidden’ error. I’m still seeing a 100% error rate with nothing getting published.
VICTORY!
The secret was to create an allUsers member with publishing rights on the topic.
1 Like
Good find!
I have the same error you posted above with 100% error ratio. How did you create the allUsers member? When I go to “IAM and admin” and try to add a new member named “allUsers” it just gives me the error “Members of type allUsers and allAuthenticatedUsers cannot be added to this resource.” Did you do it some other way? I’ve tried everything else that was suggested, and I’ve been poking around on that site for hours trying to figure it out. I even tried adding the specific publishing rights to my existing member name.
They definitely have it buried. Here is one way to get there…
Make sure you have the right project selected.
Open big navigation menu on the far left, next to the words “Google Cloud Platform” in the header of the dashboard.
Scroll down to the “Big Data” section and click on the Pub/Sub item. Choose the Topics subitem.
That takes you to your topic list, check the topic you set up.
Click the three stacked dots on that topic item, choose ‘permissions’ from the menu that opens.
You should get a panel on the right where you can “add users”, Type allUsers in that text box (it will probably give you a list by the time you get a few letters in there). Choose the role “Pub/Sub Pulisher” and click Add.
1 Like
I appreciate you breaking down the steps for me, I followed that and got it working instantly. Thanks! It’s the first time I’ve looked into this, now I need to look into ways to use the data from this pub sub service.
1 Like
Glad it worked for you. I’m using this as a way to learn a bit about the Pub/Sub service and to get familiar with Splunk using the connector mentioned earlier in the thread. I already have another smartapp that’s pumping data to InfluxDB and being visualized in Grafana so I’m not sure I “need” this one but it’s a great way to get some harmless experience. Who knows, I may switch to this if I like it better.
1 Like
I’m having the same 403 Forbidden issue with my API key.
If you grant the permission allUsers does that not give anybody in the world access to publish messages to your topic? 
So I have gone through the same steps to try and create an allUsers member, but get the same “Members of type allUsers and allAuthenticatedUsers cannot be added to this resource” error, whether I go through “IAM & admin” or through Topics -> Permissions as you described.
It also doesn’t matter which role I select, it is the allUsers that it doesn’t like.
I am signed in and have owner permissions. Any ideas?!
It’s been a really long time since I messed with this so I need to log in and re-familiarize myself with the process. Google may have tightened things down or made other changes to how the permissions work that makes the way I did it obsolete. Give me a couple of days to get some free time, holidays will keep me busy this week.
Disregard an official note stated in PubSub Authentication (see: https://cloud.google.com/pubsub/docs/authentication#more-information for the quote):
Note: Cloud Pub/Sub does not support API keys as an authentication method.
In fact, it is still supported, though discouraged in favour of better techniques like OAuth and no longer available in access control UIs.
I believe it is supported silently for the cases when the upgrade is not feasible, like IoT devices that are out of developers reach (a case I have a chance to deal with.)
You can still use Access Control APIs to enable it.
To allow (anonymous) unauthenticated user access for the publishing access to the topic (using the API key) you’ll need to set role roles/pubsub.publisher to allUsers for your resource (a topic identified as /projects/your-project-name/topics/your-topic-name/)
Example:
POST https://pubsub.googleapis.com/v1/{resource}:setIamPolicy
{
"policy": {
"bindings": [
{
"role": "roles/pubsub.publisher",
"members": [
"allUsers"
]
}
]
}
}
This will allow, having an API key, to publish to the topic without authentication. This is not wise but it is the only way to support obsolete devices still dependant on that feature and unable to use OAuth for an example.
More info:
You’re encouraged to upvote reference of this answer on Stackoverflow to help people who still need this permission but no longer have it on control UIs.