함수를 배포하는 사용자 또는 서비스 계정은 프로젝트 수준에서 역할을 사용하여 액세스 제어를 설정할 수 있습니다. 프로젝트 구성원 또는 서비스 계정에 역할을 부여하여Google Cloud 프로젝트 및 해당 리소스에 대한 액세스 수준을 결정합니다. 기본적으로 모든 Google Cloud 프로젝트에는 원래 프로젝트 생성자인 단일 사용자가 존재합니다. 사용자가 프로젝트팀 구성원으로 추가되기 전까지 다른 사용자는 프로젝트에 액세스할 수 없으며 따라서 함수에도 액세스할 수 없습니다.
런타임 환경에서 Cloud Run Functions는 기본적으로 프로젝트에서 편집자 역할을 수행하는 App Engine 기본 서비스 계정(PROJECT_ID@appspot.gserviceaccount.com)을 사용합니다. 이 서비스 계정의 역할을 변경하여 실행 중인 함수에 대한 권한을 제한하거나 확장할 수 있습니다. 기본이 아닌 서비스 계정을 제공하여 사용되는 서비스 계정을 변경할 수도 있습니다.
함수를 생성, 업데이트 또는 삭제하는 동안 프로젝트에서 관리 작업을 수행하려면 Cloud Run Functions의 모든 프로젝트에 Google Cloud Run Functions 서비스 에이전트 서비스 계정(service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com)이 필요합니다.
또한 모든 런타임은 프로젝트 내에서 컨테이너 이미지 빌드와 스토리지를 수행합니다. 이를 지원하려면 다음을 프로비저닝해야 합니다.
기본적으로 Google Cloud Run Functions 서비스 에이전트 서비스 계정(service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com)에는 프로젝트에 대한 cloudfunctions.serviceAgent 역할이 있습니다.
다음은 cloudfunctions.serviceAgent에서 사용하는 몇 가지 주요 권한입니다.
Cloud Run Functions 서비스 에이전트 서비스 계정(service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com)에 프로젝트에 대한 cloudfunctions.serviceAgent 역할이 있는지 확인합니다.
이 계정을 표시하려면 Console IAM 페이지의 권한 탭에서 Google 제공 역할 부여 포함 체크박스를 선택합니다. gcloud projects add-iam-policy-binding PROJECT_ID를 사용할 수도 있습니다.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-05(UTC)"],[[["\u003cp\u003eThis content outlines how to manage access control for Cloud Run functions (1st gen) using Identity and Access Management (IAM) roles at the project level.\u003c/p\u003e\n"],["\u003cp\u003eUsers can be assigned basic roles like \u003cstrong\u003eEditor\u003c/strong\u003e, \u003cstrong\u003eOwner\u003c/strong\u003e, and \u003cstrong\u003eViewer\u003c/strong\u003e, or Cloud Run functions-specific roles like \u003cstrong\u003eDeveloper\u003c/strong\u003e and \u003cstrong\u003eViewer\u003c/strong\u003e, which dictate read and write access to functions and other project resources.\u003c/p\u003e\n"],["\u003cp\u003eService accounts, including the App Engine default service account and the Cloud Run functions Service Agent, play crucial roles in function execution and administration, each with specific permissions.\u003c/p\u003e\n"],["\u003cp\u003eThe Google Cloud Run functions Service Agent service account (\u003ccode\u003eservice-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com\u003c/code\u003e) is essential for administrative actions like creating, updating, and deleting functions, with its permissions being critical to maintain.\u003c/p\u003e\n"],["\u003cp\u003eTroubleshooting steps are provided for common permission errors during function deployment, execution, and management, including verifying user roles, service agent permissions, and trigger source access.\u003c/p\u003e\n"]]],[],null,["# Access control with IAM (1st gen)\n=================================\n\nYou (that is, the user or service account deploying the function) can set access\ncontrol using roles at the project level. Grant a role to a\nproject member or service account to determine the level of access to your\nGoogle Cloud project and its resources. By default, all Google Cloud projects come\nwith a single user: the original project creator. No other users have access to\nthe project, and therefore, access to functions, until a user is added as a\nproject team member.\n\nAccess control for users\n------------------------\n\nYou can add users as team members to your project and grant them roles using\n[Identity and Access Management (IAM)](/iam/docs/overview).\n\nCloud Run functions supports the\n[basic roles](/iam/docs/understanding-roles#bas8c) of **Editor** ,\n**Owner** , and **Viewer**, which give the following permissions:\n\n- **Editor** and **Owner**: Read and write access to all functions-related resources. Lets users deploy, update, and delete functions. Additional access to other resources in the project.\n- **Viewer**: Read-only access to functions and locations. Lets users list functions and see their details, but does not let them view the source code. Additional access to other resources in the project.\n\nCloud Run functions also supports the Cloud Run functions\n[predefined **Developer** and **Viewer** roles](/functions/docs/reference/iam/roles),\nwhich give the following permissions:\n\n- **Developer**: Read and write access to all functions-related resources. Lets users deploy, update, and delete functions. No access to other resources in the project.\n- **Viewer**: Read-only access to functions and locations. Lets users list functions and see their details, but does not let them view the source code. No access to other resources in the project.\n\n| **Note:** To write or access Cloud Run functions logs, a project member must also have the appropriate logging permissions. For more information, see the [Cloud Logging access control guide](/logging/docs/access-control).\n\nAccess control for service accounts\n-----------------------------------\n\nA\n[service account](/iam/docs/service-account-types) is a special type of\nGoogle Cloud account that acts as an identity for a non-human user that needs to\nauthenticate and be authorized to access data and perform various actions. Some\nof these accounts are\n[created and managed by Google itself](/iam/docs/service-account-types#google-managed)\nand are known as\n[*service agents*](/iam/docs/service-agents).\n\nThe following service accounts are used for Cloud Run functions:\n\n### Runtime service accounts\n\nAt runtime, Cloud Run functions defaults to using the App Engine\ndefault service account (`PROJECT_ID@appspot.gserviceaccount.com`), which has\nthe **Editor** role on the project. You can change the role of this service\naccounts to limit or extend the permissions for your running functions. You can\nalso change which service account is used by\n[providing a non-default individual service account](/functions/1stgendocs/securing/function-identity#individual).\n\nTo learn more about service accounts, see the\n[service accounts documentation](/iam/docs/understanding-service-accounts).\n| **Note:** Authenticating as the runtime service account from inside your function might fail if you change the Cloud Run functions service account's permissions.\n\n### Administrative service accounts\n\nTo perform administrative actions on your project during the creation,\nupdating, or deletion of functions, all projects in Cloud Run functions\nrequire the Google Cloud Run functions Service Agent service account\n(`service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com`).\n\nIn addition, all runtimes carry out container image building and storage within\nyour project. To support this, you also need to provision the following:\n\n- The basic [Cloud Build service account](/build/docs/cloud-build-service-account) (`PROJECT_NUMBER@cloudbuild.gserviceaccount.com`)\n- The [Cloud Build Service Agent service account](/iam/docs/understanding-roles#service-management-roles) (`service-PROJECT_NUMBER@gcp-sa-cloudbuild.iam.gserviceaccount.com`)\n- The [Google Container Registry Service Agent service account](/container-registry/docs/overview#container_registry_service_account) (`service-PROJECT_NUMBER@containerregistry.iam.gserviceaccount.com`)\n\nThese service accounts should have the roles listed in the earlier\n[table](#roles).\n\n#### Google Cloud Run functions Service Agent service account\n\nBy default, the Google Cloud Run functions Service Agent service account\n(`service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com` has\nthe **cloudfunctions.serviceAgent** role on your project.\n| **Warning:** If you remove the default role binding or modify the permissions granted to the Cloud Run functions Service Agent service account on your Google Cloud project, the Cloud Run functions create, update, and delete operations might fail.\n\nHere's a few of the notable permissions that the `cloudfunctions.serviceAgent`\nuses:\n\nYou can see the entire set of permissions under the [predefined IAM roles](/iam/docs/understanding-roles#cloudfunctions.serviceAgent)\nor by running this command: \n\n```bash\ngcloud iam roles describe roles/cloudfunctions.serviceAgent\n```\n\n\u003cbr /\u003e\n\nYou can reset this service account to the default role by removing whatever role\nit has and adding the Cloud Run functions Service Agent role: \n\n```bash\ngcloud projects add-iam-policy-binding PROJECT_ID \\\n --member serviceAccount:service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com \\\n --role roles/cloudfunctions.serviceAgent\n```\n\nTroubleshooting permission errors\n---------------------------------\n\nIf you get permission errors when you deploy, update, delete, or execute\nfunctions in your project, perform the following steps:\n\n1. Make sure that you have the **Editor** or **Owner** role on your project, or\n that you are using the **Cloud Run functions Developer** role.\n\n If you are using the **Cloud Run functions Developer** role at the project\n level, also ensure that you have\n [granted the user the **IAM Service Account User** role](/functions/docs/reference/iam/roles#additional-configuration).\n\n Only execution permissions are allowed at the per-function level.\n2. Verify that the Cloud Run functions Service Agent service account\n (`service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com`) has the\n **cloudfunctions.serviceAgent** role for your project.\n\n Make sure the **Include Google-provided role grants** box on the\n **Permissions** tab of the [Console IAM](https://console.cloud.google.com/iam-admin/iam/) page\n is checked to see this account. Or you can use\n `gcloud projects add-iam-policy-binding PROJECT_ID`.\n3. Ensure that you have permissions for trigger sources, such as\n [Pub/Sub](/functions/1stgendocs/calling/pubsub) or\n [Cloud Storage](/functions/1stgendocs/calling/storage).\n\nIf you get an \"insufficient permissions\" error, or have other\nauthentication problems when you run your functions, make sure that the runtime\nservice account has the correct permissions to access the resources your\nfunctions need. Then, repeat steps 2 and 3.\n\nIf you get a \"service unavailable\" error during deployment, make\nsure that the runtime service account `PROJECT_ID@appspot.gserviceaccount.com`\nexists in your project. To recreate this service account if it was deleted, see\n[Undeleting a service account](/iam/docs/service-accounts-delete-undelete#undeleting).\n\nSee also [Troubleshooting Cloud Run functions](/functions/1stgendocs/troubleshooting)."]]