Make explicit the Pub/Sub service account KMS role requirements for C…

…MEK.

Co-Authored-By: Riley Karson <[email protected]>

products/pubsub/api.yaml

@@ -44,7 +44,9 @@ objects:
         name: 'kmsKeyName'
         description: |
           The resource name of the Cloud KMS CryptoKey to be used to protect access
-          to messsages published on this topic.
+          to messsages published on this topic. Your project's PubSub service account
+          (`service-{{PROJECT_NUMBER}}@gcp-sa-pubsub.iam.gserviceaccount.com`) must have
+          `roles/cloudkms.cryptoKeyEncrypterDecrypter` to use this feature.
           
           The expected format is `projects/*/locations/*/keyRings/*/cryptoKeys/*`
         input: true