Stay organized with collections Save and categorize content based on your preferences.
This document describes how to create a Cloud Storage subscription. You can use the Google Cloud console, the Google Cloud CLI, the client library, or the Pub/Sub API to create a Cloud Storage subscription.
Before you beginBefore reading this document, ensure that you're familiar with the following:
The following is a list of guidelines regarding roles and permissions:
To create a subscription, you must configure access control at the project level.
You also need resource-level permissions if your subscriptions and topics are in different projects, as discussed later in this section.
To create a Cloud Storage subscription, either the Pub/Sub service agent or a custom service account must have permission to write to the specific Cloud Storage bucket and to read the bucket metadata. For more information about how to grant these permissions, see the next section of this document.
To get the permissions that you need to create Cloud Storage subscriptions, ask your administrator to grant you the Pub/Sub Editor (roles/pubsub.editor) IAM role on the project. For more information about granting roles, see Manage access to projects, folders, and organizations.
This predefined role contains the permissions required to create Cloud Storage subscriptions. To see the exact permissions that are required, expand the Required permissions section:
Required permissionsThe following permissions are required to create Cloud Storage subscriptions:
pubsub.subscriptions.create pubsub.topics.attachSubscription pubsub.subscriptions.consume pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.subscriptions.delete pubsub.subscriptions.getIamPolicy pubsub.subscriptions.setIamPolicyYou might also be able to get these permissions with custom roles or other predefined roles.
To let a principal in one project create a Cloud Storage subscription in another project, you must grant that principal the Pub/Sub Editor (roles/pubsub.editor) role in both projects. This provides the necessary permissions to create the new Google Cloud subscription and attach it to the original topic. The Pub/Sub Editor (roles/pubsub.editor) role on the topic also helps you attach Google Cloud subscriptions in a different project to the topic.
Some Google Cloud services have Google Cloud-managed service accounts that let the services access your resources. These service accounts are known as service agents. Pub/Sub creates and maintains a service agent for each project in the format service-project-number@gcp-sa-pubsub.iam.gserviceaccount.com.
You can choose between letting the Pub/Sub service agent or a custom service account permission to write to the Cloud Storage bucket.
Granting permission to the Pub/Sub service agent means that any user who has permission to create a subscription in your project can write to the Cloud Storage bucket. If you want to provide more granular permission for writing to the Cloud Storage bucket, configure a custom service account instead.
For more information about Cloud Storage IAM, see Cloud Storage Identity and Access Management.
Assign Cloud Storage roles to the Pub/Sub service agentIf you want to create a Cloud Storage subscription using the Pub/Sub service agent, then it must have permission to write to the specific Cloud Storage bucket and to read the bucket metadata.
Grant the Storage Object Creator (roles/storage.objectCreator) and Storage Legacy Bucket Reader (roles/storage.legacyBucketReader) roles to the Pub/Sub service agent. Grant the permission on the individual bucket.
In the Google Cloud console, go to the Cloud Storage page.
Click the Cloud Storage bucket to which you would like to write messages.
The Bucket details page opens.
In the Bucket details page, click the Permissions tab.
In the Permissions > View by principals tab, click Grant access.
The Grant access page opens.
In the Add principals section, enter the name of your Pub/Sub service agent for the project containing the subscription.
The format of the service agent is service-PROJECT_NUMBER@gcp-sa-pubsub.iam.gserviceaccount.com. For example, for a project with PROJECT_NUMBER=112233445566, the service agent is of the format service-112233445566@gcp-sa-pubsub.iam.gserviceaccount.com.
In the Assign roles > Select a role drop-down, enter Creator and select the Storage Object Creator role.
Click Add another role.
In the Select a role drop-down, enter Bucket Reader, and select the Storage Legacy Bucket Reader role.
Click Save.
In the Google Cloud console, go to the IAM page.
In the Permissions > View by principals tab, click Grant access.
The Grant access page opens.
In the Add principals section, enter the name of your Pub/Sub service agent.
The format of the service agent is service-PROJECT_NUMBER@gcp-sa-pubsub.iam.gserviceaccount.com. For example, for a project with PROJECT_NUMBER=112233445566, the service agent is of the format service-112233445566@gcp-sa-pubsub.iam.gserviceaccount.com.
In the Assign roles > Select a role drop-down, enter Storage Admin and select the Storage Admin role.
Click Save.
If you want to use a custom service account for writing to a Cloud Storage bucket, then you must set the following permissions:
iam.serviceAccounts.getAccessToken permission on the custom service account.iam.serviceAccounts.actAs permission on the custom service account.Create the service account and grant permissions with the following steps:
Create the custom service account. The service account must be in the same project as the subscription.
Grant the Storage Object Creator (roles/storage.objectCreator) and Storage Legacy Bucket Reader (roles/storage.legacyBucketReader) roles to the custom service account.
You can grant the service account permission on a single table in the project or on all tables in the project. To do so, see the appropriate section in Assign Google Cloud roles to the Pub/Sub service agent. In the procedure, replace the Pub/Sub service agent email address with the custom service account email address.
Give the Pub/Sub service agent the iam.serviceAccounts.getAccessToken permission on the custom service account or on all service accounts in the project. You can grant this permission by giving the roles/iam.serviceAccountTokenCreator role to the Pub/Sub service agent.
Choose the appropriate method based on your requirements.
In the Google Cloud console, go to the Service accounts page.
Enter the name of the custom service account in the Filter.
Select the service account from the list.
Click Principals with access.
Click Grant access.
In the Add principals section, enter the name of your Pub/Sub service agent for the project containing the subscription. The format of the service agent is service-project-number@gcp-sa-pubsub.iam.gserviceaccount.com. For example, for a project with project-number=112233445566, the service agent is of the format service-112233445566@gcp-sa-pubsub.iam.gserviceaccount.com.
In the Select a role drop-down, enter Service Account, and select the Service Account Token Creator role.
Click Save.
In the Google Cloud console, go to the IAM page.
Click Grant access.
In the Add principals section, enter the name of your custom service account.
In the Assign roles section, click Add another role.
In the Select a role drop-down, enter Service Account, and select the Service Account Token Creator role.
Click Save.
If you created the custom service account, you should already have the necessary iam.serviceAccounts.actAs permission. If you need to grant someone else the permission on the service account:
In the Google Cloud console, go to the Service accounts page.
Enter the name of the custom service account in the Filter.
Select the service account from the list.
Click Principals with access.
Click Grant access.
In the Add principals section, enter the name the account to which you want to grant access.
In the Select a role drop-down, enter Service Account, and select the Service Account User role.
Click Save.
When you configure a Cloud Storage subscription, you must specify the properties common to all subscription types and some additional Cloud Storage subscription-specific properties.
Common subscription propertiesLearn about the common subscription properties that you can set across all subscriptions.
Bucket nameA Cloud Storage bucket must already exist before you create a Cloud Storage subscription.
The messages are sent as batches and stored in the Cloud Storage bucket. A single batch or file is stored as an object in the bucket.
The Cloud Storage bucket must have Requester Pays disabled.
To create a Cloud Storage bucket, see Create buckets.
Filename prefix, suffix, and datetimeThe output Cloud Storage files generated by the Cloud Storage subscription are stored as objects in the Cloud Storage bucket. The name of the object stored in the Cloud Storage bucket is of the following format: <file-prefix><UTC-date-time>_<uuid><file-suffix>.
The following list includes details of the file format and the fields that you can customize:
<file-prefix> is the custom filename prefix. This is an optional field.
<UTC-date-time> is a customizable auto-generated string based on the time the object is created.
<uuid> is an auto-generated random string for the object.
<file-suffix> is the custom filename suffix. This is an optional field. The filename suffix cannot end in "/".
You can change the filename prefix and suffix:
For example, if the value of the filename prefix is prod_ and the value of the filename suffix is _archive, a sample object name is prod_2023-09-25T04:10:00+00:00_uN1QuE_archive.
If you don't specify the filename prefix and suffix, the object name stored in the Cloud Storage bucket is of the format: <UTC-date-time>_<uuid>.
Cloud Storage object naming requirements also apply to the filename prefix and suffix. For more information, see About Cloud Storage objects.
You can change how the date and time are displayed in the filename:
Required datetime matchers that you can use only once: year (YYYY or YY), month (MM), day (DD), hour (hh), minute (mm), second (ss). For example, YY-YYYY or MMM is invalid.
Optional matchers that you can use only once: datetime separator (T) and and timezone offset (Z or +00:00).
Optional elements that you can use multiple times: hyphen (-), underscore (_), colon (:), and forward slash (/).
For example, if the value of the filename datetime format is YYYY-MM-DD/hh_mm_ssZ, a sample object name is prod_2023-09-25/04_10_00Z_uNiQuE_archive.
If the filename datetime format ends in a character which is not a matcher, that character will replace the separator between <UTC-date-time> and <uuid>. For example, if the value of the filename datetime format is YYYY-MM-DDThh_mm_ss-, a sample object name is prod_2023-09-25T04_10_00-uNiQuE_archive.
Cloud Storage subscriptions let you decide when you want to create a new output file that is stored as an object in the Cloud Storage bucket. Pub/Sub writes an output file when one of the specified batching conditions are met. The following are the Cloud Storage batching conditions:
Storage batch max duration. This is a required setting. The Cloud Storage subscription writes a new output file if the specified value of max duration is exceeded. If you don't specify the value, a default value of 5 minutes is applied. The following are the applicable values for max duration:
Storage batch max bytes. This is an optional setting. The Cloud Storage subscription writes a new output file if the specified value of max bytes is exceeded. The following are the applicable values for max bytes:
Storage batch max messages. This is an optional setting. The Cloud Storage subscription writes a new output file if the specified number of max messages is exceeded. The following are the applicable values for max messages:
For example, you can configure max duration as 6 minutes and max bytes as 2 GB. If at the 4th minute, the output file reaches a file size of 2 GB, Pub/Sub finalizes the previous file and starts writing to a new file.
A Cloud Storage subscription might write to multiple files in a Cloud Storage bucket simultaneously. If you have configured your subscription to create a new file every 6th minute, you might observe multiple Cloud Storage files being created every 6 minutes.
In some situations, Pub/Sub might start writing to a new file earlier than the time configured by the file batching conditions. A file might also exceed the Max bytes value if the subscription receives messages larger than the Max bytes value.
File formatWhen you create a Cloud Storage subscription, you can specify the format of the output files that are to be stored in a Cloud Storage bucket as Text or Avro.
Text: The messages are stored as plain text. A newline character separates a message from the previous message in the file. Only message payloads are stored, not attributes or other metadata.
Avro: The messages are stored in Apache Avro binary format. When you select Avro, you can enable the following additional properties:
Write metadata: This option lets you store the message metadata along with the message. Metadata such as subscription_name, message_id, publish_time, and attributes fields are written to top-level fields in the output Avro object while all other message properties other than data (for example, an ordering_key, if present) are added as entries in the attributes map.
If write metadata is disabled, only the message payload is written to the output Avro object. Here is the Avro schema for the output messages with write metadata disabled:
{
"type": "record",
"namespace": "com.google.pubsub",
"name": "PubsubMessage",
"fields": [
{ "name": "data", "type": "bytes" }
]
}
Here is the Avro schema for the output messages with write metadata enabled:
{
"type": "record",
"namespace": "com.google.pubsub",
"name": "PubsubMessageWithMetadata",
"fields": [
{ "name": "subscription_name", "type": "string" },
{ "name": "message_id", "type": "string" },
{ "name": "publish_time", "type": {
"type": "long",
"logicalType": "timestamp-micros"
}
},
{ "name": "attributes", "type": { "type": "map", "values": "string" } },
{ "name": "data", "type": "bytes" }
]
}
Use topic schema: This option lets Pub/Sub use the schema of the Pub/Sub topic to which the subscription is attached when writing Avro files.
When you use this option, remember to check the following additional requirements:
The topic schema must be in Apache Avro format.
If both use topic schema and write metadata are enabled, the topic schema must have a Record object at its root. Pub/Sub will expand the Record's list of fields to include the metadata fields. As a result, the Record cannot contain any fields with the same name as the metadata fields (subscription_name, message_id, publish_time, or attributes).
You have the following options to write messages to a BigQuery table or Cloud Storage bucket:
Configure a custom service account so that only users who have the iam.serviceAccounts.actAs permission on the service account can create a subscription that writes to the table or bucket. An example role that includes the iam.serviceAccounts.actAs permission is the Service Account User (roles/iam.serviceAccountUser) role.
Use the default Pub/Sub service agent that lets any user with the ability to create subscriptions in the project to create a subscription that writes to the table or bucket. The Pub/Sub service agent is the default setting when you don't specify a custom service account.
In the Google Cloud console, go to the Subscriptions page.
Click Create subscription.
For the Subscription ID field, enter a name.
For information about how to name a subscription, see Guidelines to name a topic or a subscription.
Choose or create a topic from the drop-down menu.
The subscription receives messages from the topic.
For information about how to create a topic, see Create and manage topics.
Select Delivery type as Write to Cloud Storage.
For the Cloud Storage bucket, click Browse.
You can select an existing bucket from any appropriate project.
You can also click the create icon and follow the instructions on the screen to create a new bucket.
After you create the bucket, select the bucket for the Cloud Storage subscription.
For more information about how to create a bucket, see Create buckets.
When you specify the bucket, Pub/Sub checks for the appropriate permissions on the bucket for the Pub/Sub service agent. If there are permissions issues, you see a message similar to the following: Unable to verify if the Pub/Sub service agent has write permissions on this bucket. You may be lacking permissions to view or set permissions.
If you get permission issues, click Set Permission and follow the on-screen instructions.
Alternatively, follow the instructions in Assign Cloud Storage roles to the Pub/Sub service agent.
For File format, select Text or Avro.
If you select Avro, you can also optionally specify if you want to store the message metadata in the output.
For more information about the two options including the message metadata option for the Avro format, see File format.
Optional: You can specify the File name prefix, suffix, and datetime for all your files that are to be written to the Cloud Storage bucket. A file is stored as an object in the bucket.
For more information about how to set the file prefix, suffix, and datetime, see Filename prefix, suffix, and datetime.
For File batching, specify a maximum time to elapse before creating a new file.
You can also optionally set the maximum file size or maximum number of messages for the files.
For more information about both file batching options, see File batching.
We strongly recommend that you enable Dead lettering to handle message failures.
For more information, see Dead letter topic.
You can keep the other settings as their defaults and click Create.
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
gcloud pubsub subscriptions create command.
gcloud pubsub subscriptions create SUBSCRIPTION_ID \
--topic=TOPIC_ID \
--cloud-storage-bucket=BUCKET_NAME \
--cloud-storage-file-prefix=CLOUD_STORAGE_FILE_PREFIX \
--cloud-storage-file-suffix=CLOUD_STORAGE_FILE_SUFFIX \
--cloud-storage-file-datetime-format=CLOUD_STORAGE_FILE_DATETIME_FORMAT \
--cloud-storage-max-duration=CLOUD_STORAGE_MAX_DURATION \
--cloud-storage-max-bytes=CLOUD_STORAGE_MAX_BYTES \
--cloud-storage-max-messages=CLOUD_STORAGE_MAX_MESSAGES \
--cloud-storage-output-format=CLOUD_STORAGE_OUTPUT_FORMAT \
--cloud-storage-write-metadata
--cloud-storage-use-topic-schema
If you want to use a custom service account, provide it as an additional argument:
gcloud pubsub subscriptions create SUBSCRIPTION_ID \
--topic=TOPIC_ID \
--cloud-storage-bucket=BUCKET_NAME \
--cloud-storage-file-prefix=CLOUD_STORAGE_FILE_PREFIX \
--cloud-storage-file-suffix=CLOUD_STORAGE_FILE_SUFFIX \
--cloud-storage-file-datetime-format=CLOUD_STORAGE_FILE_DATETIME_FORMAT \
--cloud-storage-max-duration=CLOUD_STORAGE_MAX_DURATION \
--cloud-storage-max-bytes=CLOUD_STORAGE_MAX_BYTES \
--cloud-storage-max-messages=CLOUD_STORAGE_MAX_MESSAGES \
--cloud-storage-output-format=CLOUD_STORAGE_OUTPUT_FORMAT \
--cloud-storage-write-metadata
--cloud-storage-use-topic-schema
--cloud-storage-service-account-email=SERVICE_ACCOUNT_NAME
In the command, only SUBSCRIPTION_ID, the --topic flag, and the --cloud-storage-bucket flag are required. The remaining flags are optional and can be omitted.
Replace the following:
SUBSCRIPTION_ID: The name or ID of your new Cloud Storage subscription.TOPIC_ID: The name or ID of your topic.BUCKET_NAME: Specifies the name of an existing bucket. For example, prod_bucket. The bucket name must not include the project ID. To create a bucket, see Create buckets.CLOUD_STORAGE_FILE_PREFIX: Specifies the prefix for the Cloud Storage filename. For example, log_events_.CLOUD_STORAGE_FILE_SUFFIX: Specifies the suffix for the Cloud Storage filename. For example, .txt.CLOUD_STORAGE_FILE_DATETIME_FORMAT: Specifies the datetime format for the Cloud Storage filename. For example, YYYY-MM-DD/hh_mm_ssZ.CLOUD_STORAGE_MAX_DURATION: The maximum duration that can elapse before a new Cloud Storage file is created. The value must be between 1m and 10m. For example, 5m.CLOUD_STORAGE_MAX_BYTES: The maximum bytes that can be written to a Cloud Storage file before a new file is created. The value must be between 1KB to 10GB. For example, 20MB.CLOUD_STORAGE_MAX_MESSAGES: The maximum number of messages that can be written to a Cloud Storage file before a new file is created. The value must be greater than or equal to 1000. For example, 100000.CLOUD_STORAGE_OUTPUT_FORMAT: The output format for data written to Cloud Storage. Values are as follows:
text: Messages are written as raw text, separated by a newline.avro: Messages are written as an Avro binary. --cloud-storage-write-metadata and --cloud-storage-use-topic-schema only affect subscriptions with output format avro.Before trying this sample, follow the C++ setup instructions in the Pub/Sub quickstart using client libraries. For more information, see the Pub/Sub C++ API reference documentation.
To authenticate to Pub/Sub, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
C#Before trying this sample, follow the C# setup instructions in the Pub/Sub quickstart using client libraries. For more information, see the Pub/Sub C# API reference documentation.
To authenticate to Pub/Sub, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
GoBefore trying this sample, follow the Go setup instructions in the Pub/Sub quickstart using client libraries. For more information, see the Pub/Sub Go API reference documentation.
To authenticate to Pub/Sub, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
JavaBefore trying this sample, follow the Java setup instructions in the Pub/Sub quickstart using client libraries. For more information, see the Pub/Sub Java API reference documentation.
To authenticate to Pub/Sub, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
Node.jsBefore trying this sample, follow the Node.js setup instructions in the Pub/Sub quickstart using client libraries. For more information, see the Pub/Sub Node.js API reference documentation.
To authenticate to Pub/Sub, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
Node.jsBefore trying this sample, follow the Node.js setup instructions in the Pub/Sub quickstart using client libraries. For more information, see the Pub/Sub Node.js API reference documentation.
To authenticate to Pub/Sub, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
PHPBefore trying this sample, follow the PHP setup instructions in the Pub/Sub quickstart using client libraries. For more information, see the Pub/Sub PHP API reference documentation.
To authenticate to Pub/Sub, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
PythonBefore trying this sample, follow the Python setup instructions in the Pub/Sub quickstart using client libraries. For more information, see the Pub/Sub Python API reference documentation.
To authenticate to Pub/Sub, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
Monitor a Cloud Storage subscriptionCloud Monitoring provides a number of metrics to monitor subscriptions.
For a list of all the available metrics related to Pub/Sub and their descriptions, see the Monitoring documentation for Pub/Sub.
You can also monitor subscriptions from within Pub/Sub.
What's nextTroubleshoot a Cloud Storage subscription.
Read about Cloud Storage.
Review pricing for Pub/Sub, including Cloud Storage subscription.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-10-02 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-10-02 UTC."],[],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.5