From 17cf4437f266d79b7fb2f2e645adb63c9a8faa59 Mon Sep 17 00:00:00 2001
From: Roberto Jung Drebes <drebes@google.com>
Date: Sat, 29 Jun 2019 23:42:12 +0200
Subject: [PATCH] Make explicit the Pub/Sub service account KMS role
 requirements for CMEK.

Co-Authored-By: Riley Karson <rileykarson@google.com>
---
 products/pubsub/api.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/products/pubsub/api.yaml b/products/pubsub/api.yaml
index 10ef00a50b81..33e789617749 100644
--- a/products/pubsub/api.yaml
+++ b/products/pubsub/api.yaml
@@ -44,7 +44,9 @@ objects:
         name: 'kmsKeyName'
         description: |
           The resource name of the Cloud KMS CryptoKey to be used to protect access
-          to messsages published on this topic.
+          to messsages published on this topic. Your project's PubSub service account
+          (`service-{{PROJECT_NUMBER}}@gcp-sa-pubsub.iam.gserviceaccount.com`) must have
+          `roles/cloudkms.cryptoKeyEncrypterDecrypter` to use this feature.
           
           The expected format is `projects/*/locations/*/keyRings/*/cryptoKeys/*`
         input: true