Solved: Re: 403 error integrating Splunk with GCP Pubsub

vik_splunk · ‎01-21-2019

We are working on integrating splunk with GCP using the GCP-TA to ingest logs using the pubsub module.

We are encountering a 403 forbidden error as seen below. This is in the GCP pubsub log in the Splunk internal index.

We've checked the permissions of the service account and the relevant role access and nothing is amiss within GCP.

The JSON key has been tested for authentication and it works as expected.

The pdf document that accompanies the TA is not very descriptive or explicit about the permissions that the account will require.

Any ideas or advise on the relevant permissions or steps to address this will be appreciated! Thanks!

vik_splunk · ‎02-12-2019

We subsequently managed to resolve this issue by assigning elevated privileges to the GCP service account configured in Splunk.

bennagengast · ‎05-08-2019

I did a little trial/error with this and I believe the permissions required by the service account are

pubsub.subscriptions.get
resourcemanager.projects.get

as well as a PubSub IAMBinding for roles/pubsub.subscriber for the topic you're intending to subscribe to.

vik_splunk · ‎02-12-2019

We subsequently managed to resolve this issue by assigning elevated privileges to the GCP service account configured in Splunk.

403 error integrating Splunk with GCP Pubsub