I want a service account to be able to (at runtime) create a subscription and attach it to a specific topic, and then allow that serviceAccount to also get/update/delete/consume that specific subscription they just created, but not the other subscriptions in the project.
Is this possible? I don't see any way to grant a role to a principal only for the resources they created themselves. Since they'll create the resource at runtime, I can't ahead of time grant them the role on the resource, since it doesn't exist yet.
The only place I see I can grant them a role ahead of time is the project level, which grants them the role on ALL subscriptions, not just the ones they created themselves. I just want to give them
pubsub.subscriptions.create at the project level, pubsub.topics.attachSubscription for a specific topic (already sorted), and then roles/pubsub.editor on their own subscription. Its that last one that I can't seem to figure out.