diff --git a/products/pubsub/api.yaml b/products/pubsub/api.yaml
index 10ef00a50b81..33e789617749 100644
--- a/products/pubsub/api.yaml
+++ b/products/pubsub/api.yaml
@@ -44,7 +44,9 @@ objects:
         name: 'kmsKeyName'
         description: |
           The resource name of the Cloud KMS CryptoKey to be used to protect access
-          to messsages published on this topic.
+          to messsages published on this topic. Your project's PubSub service account
+          (`service-{{PROJECT_NUMBER}}@gcp-sa-pubsub.iam.gserviceaccount.com`) must have
+          `roles/cloudkms.cryptoKeyEncrypterDecrypter` to use this feature.
           
           The expected format is `projects/*/locations/*/keyRings/*/cryptoKeys/*`
         input: true