Pub/Sub, the start of more precise role management
As services grow and users increase, clearly distinguishing who can perform which tasks becomes increasingly important. Beyond simple permission assignment, it is time for a more precise permission management system that considers both operational efficiency and security.
Through the IAM update last July, KakaoCloud expanded service-specific dedicated permissions and enabled more granular role control at the organization and project levels.
Now, Pub/Sub continues this direction.
Core of this update: separating permissions by role
Since its initial release, Pub/Sub has stably supported event delivery between applications and real-time data streaming as a serverless message queue. In particular, after the GA release, continuous improvements were made, including Object Storage integration, more granular subscription statuses, and SLA application.
In this update, a role-based access control (RBAC) system has been newly introduced to Pub/Sub to improve operational efficiency and security. Previously, permissions were granted collectively according to organization- or project-level role types. Now, detailed permissions such as message publishing, receiving, and resource viewing can be clearly separated based on the following four Pub/Sub-specific roles.
| Role name | Description |
|---|---|
| Pub/Sub Manager | Has full management permissions, including creating, modifying, and deleting topics and subscriptions, and publishing and receiving messages |
| Pub/Sub Publisher | Can publish messages to topics |
| Pub/Sub Subscriber | Can receive and process messages through subscriptions |
| Pub/Sub Viewer | Can only view topics and subscriptions |
Among these, the Pub/Sub Manager role is the highest-level permission that includes Publisher, Subscriber, and Viewer permissions, and it also includes advanced features such as Object Storage export channel settings and subscription seek.
Changes to the Project Reader role
With the introduction of this role system, starting on September 19, 2025, Pub/Sub message receiving and processing permissions will be excluded from the Project Reader role. In other words, users who need to process messages must be granted the Pub/Sub Subscriber role separately. This change is intended to reduce unnecessary permission grants and make service operations safer according to the Principle of Least Privilege.
KakaoCloud will continue improving each service's roles and permission systems to be more precise and more practical. We will help ensure that only the permissions necessary for service operations are granted safely and that both administrators and users clearly understand their roles and responsibilities.
Thank you.
Want to learn more about Pub/Sub?
👉 View Pub/Sub documentation