To use an existing subscription, we must look it up with pubsub.lookupSubscription(name).
This translates to ProjectsSubscriptionsResource.get in package:googleapis/pubsub/v1.dart, which requires "Pub/Sub Viewer" role.
However, this role is not needed to actually pull messages. Pulling translates to ProjectsSubscriptionsResource.pull, for which the subscription name is enough, and it only requires "Pub/Sub Subscriber".
If code knows its subscriptions, it's more secure to run without a privilege of viewing all topics and subscriptions.
I propose making a method in PubSub to create a Subscription object from supplied parameters without looking up the subscription. Naming is hard though, because get is used in the underlying package to request it from the API, and create is used to create a subscription through the API.
The same problem likely applies to topics and publishing, although I haven't tried it yet.
To use an existing subscription, we must look it up with
pubsub.lookupSubscription(name).This translates to
ProjectsSubscriptionsResource.getinpackage:googleapis/pubsub/v1.dart, which requires "Pub/Sub Viewer" role.However, this role is not needed to actually pull messages. Pulling translates to
ProjectsSubscriptionsResource.pull, for which the subscription name is enough, and it only requires "Pub/Sub Subscriber".If code knows its subscriptions, it's more secure to run without a privilege of viewing all topics and subscriptions.
I propose making a method in
PubSubto create aSubscriptionobject from supplied parameters without looking up the subscription. Naming is hard though, becausegetis used in the underlying package to request it from the API, andcreateis used to create a subscription through the API.The same problem likely applies to topics and publishing, although I haven't tried it yet.