I did a little trial/error with this and I believe the permissions required by the service account are
pubsub.subscriptions.get
resourcemanager.projects.get
as well as a PubSub IAMBinding for roles/pubsub.subscriber for the topic you're intending to subscribe to.
... View more