chore(pubsub): add subscriber role test for streaming

[plamut]

Fixes #9382.

Pulling the messages using a streaming pull should work with accounts having only the pubsub.subscriber role. This commits adds a test that covers this aspect.

How to test

• Apply the following patch to the streaming pull manager:

  diff --git pubsub/google/cloud/pubsub_v1/subscriber/_protocol/streaming_pull_manager.py pubsub/google/cloud/pubsub_v1/subscriber/_protocol/streaming_pull_manager.py
  index d3b1d6f51eb..d73a6f9cdd8 100644
  --- pubsub/google/cloud/pubsub_v1/subscriber/_protocol/streaming_pull_manager.py
  +++ pubsub/google/cloud/pubsub_v1/subscriber/_protocol/streaming_pull_manager.py
  @@ -403,6 +403,7 @@ class StreamingPullManager(object):
          # the default stream ACK deadline should again be set based on the
          # historic ACK timing data, i.e. `self.ack_histogram.percentile(99)`.
          stream_ack_deadline_seconds = _DEFAULT_STREAM_ACK_DEADLINE
  +       subscription = self._client.api.get_subscription(self._subscription)
  
          get_initial_request = functools.partial(
              self._get_initial_request, stream_ack_deadline_seconds

• Run the new system test test_streaming_pull_subscriber_permissions_sufficient.

Expected result:
The test should fail (permission error), proving that it would catch the regression in #9339, and undoing the above patch makes the test pass.

[plamut]

@busunkim96 Let's talk offline on how to inject such service account into Kokoro environment, and how to do the same for the convenience of developers (we cannot commit the actual service account .json key file, of course).

[busunkim96]

There is now a service account with just Pub/Sub subscriber in ${KOKORO_GFILE_DIR}/pubsub-subscriber-service-account.json

You can set an environment variable in https://github.com/googleapis/google-cloud-python/blob/master/.kokoro/build.sh

I think there may actually be a way to use the existing service account to create a short-lived credential with only the Pub/Sub subscriber role. See https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-permissions and https://google-auth.readthedocs.io/en/latest/reference/google.auth.impersonated_credentials.html#module-google.auth.impersonated_credentials

This would also be nicer for developers trying to run the tests (they don't have to worry about having a separate service account with the correct role)

[plamut]

The test now correctly fails with 403 if the regression from #9339 is re-introduced.

I opted to not add the path to the special service account file in .kokoro/build.sh, as adding more test-specific stuff to the common config could eventually bloat it.

I haven't explored the short-lived service accounts for local development yet, I got around it by skipping the test if not inside the Kokoro environment (but that could still be faked locally, if needed).

[pradn]

Looks good. Thank you, Peter!

[plamut]

Yay, merging then.