You can sign up for the Private Preview waitlist here.
Prerequisites
To follow this guide, you will need:- An active ClickHouse Cloud service
- A GCP project containing the Pub/Sub topic you want to ingest from
- IAM permissions in that project to create service accounts and grant roles
Authentication model
ClickPipes for Pub/Sub authenticates with GCP using a service account JSON key. When you create a pipe, you upload the key file; ClickPipes encrypts it at rest and uses it at runtime to:- list and read topics in your project,
- create and delete the managed subscription ClickPipes uses to consume messages,
- consume messages from that subscription, and
- (optionally) read native Pub/Sub schemas from the schema registry.
Required permissions
ClickPipes requires the following IAM permissions on the GCP project that owns the topic. They cover the full pipe lifecycle: discovery (topic listing, validation, sampling), subscription management, steady-state ingestion, and cleanup.Topic access (discovery and validation)
Subscription lifecycle (discovery and ingestion)
Schema access (optional — only for native Avro/Protobuf topics)
Predefined roles
Setup
Create a custom role (recommended)
For least-privilege access, create a custom role with exactly the permissions ClickPipes needs. You can do this with thegcloud CLI:
Optional permissionsAppend
pubsub.schemas.get to the --permissions list if you ingest from topics that use native Pub/Sub Avro or Protobuf schemas. Leave it out otherwise to keep the role minimal.roles/pubsub.editor instead.
Create a service account
Create a dedicated service account for the ClickPipe:Grant the role to the service account
Bind the role you created (orroles/pubsub.editor) to the service account at the project level:
Create and download a service account key
Create a JSON key for the service account and download it locally:clickpipes-pubsub-key.json file in the ClickPipes UI when creating the pipe.
Treat the key as a secretService account keys grant access to your GCP project. Store the file securely, do not commit it to source control, and rotate it periodically. ClickPipes encrypts the key at rest after upload.
Notes
pubsub.topics.attachSubscriptionis required on the topic resource, not the subscription. This is commonly missed when granting only subscription-level permissions.- If your topic does not use a native Pub/Sub schema (Avro or Protobuf), the
pubsub.schemas.getpermission is not needed. - Managed subscriptions are named
clickpipes-{pipeID}with a 60s ack deadline, 7-day message retention, and message ordering enabled. - Ephemeral discovery subscriptions are named
clickpipes-discovery-{uuid}with a 10s ack deadline, 10-minute retention, and a 24-hour auto-expiry TTL. - ClickPipes treats
PermissionDeniedandUnauthenticatederrors as non-retryable — if a permission is missing, the pipe fails fast rather than retrying indefinitely.