Custom Service Account for Cloud Build (1st gen)
Cloud Run functions leverages Cloud Build when building and deploying your Cloud Run function. By default, Cloud Run functions uses the default Cloud Build service account as the principal when performing your build. Starting in July 2024, Cloud Build has changed the default behavior for how Cloud Build uses service accounts in new projects. This change is detailed in Cloud Build Service Account Change. As a result of this change, new projects deploying functions for the first time may be using a default Cloud Build service account with insufficient permissions for building a function. If you are impacted by this change you can do one of the following:
Review the Cloud Build guidance on changes to the default service account and opt out of these changes.
Add the Cloud Build Account role (
roles/cloudbuild.builds.builder
) to the default Compute Engine service account.Create a custom Cloud Build service account for function deployments.
This document describes how to pass in a user-created service account, to be used by Cloud Build, when deploying your function.
You can deploy functions with custom service accounts using the Google Cloud CLI, Google Cloud console, or the Cloud Run functions API.
Here are some scenarios where you may want to provide a different service account to be used when Cloud Build builds your function:
You want more control of which service accounts to add to your VPC-SC perimeter.
You want Cloud Build to run with different permissions than what the default service account has without having to revoke each permission individually.
You want to set granular Cloud Build permissions specifically for your functions, not share a Cloud Build service account that is optimized for other purposes.
Your organization disabled the usage of the default service account.
Enable APIs
This feature requires the IAM API to be enabled.
Use the Google Cloud CLI to enable the APIs needed to deploy a Cloud Run function, or use Google Cloud console:
gcloud services enable iam.googleapis.com
Configure Service Account
This document describes how to create a new service account and grant the required permissions. If you want to use an existing service account, you need the email address of the service account you plan to use. See configuring user-specified service accounts for details.
You can view your existing service accounts as follows, or use Google Cloud console:
gcloud iam service-accounts list
Create Service Account
Use the Google Cloud CLI to create your service account or use Google Cloud console:
gcloud iam service-accounts create SA_EMAIL
Replace SA_EMAIL with the email address of your service account.
Grant Permissions
The service account you use will need the following roles:
roles/logging.logWriter
— Required to store build logs in Cloud Logging.roles/artifactregistry.writer
— Required to store build images in Artifact Registry. For the default behavior, the service account needs access to repositories named "gcf-artifacts" and "cloud-run-source-deploy". Access to the repositories can be set on the repository's IAM policy. You can alternatively provide your own artifact repository throughdockerRepository
field.roles/storage.objectViewer
— Required to retrieve the function source from the Cloud Storage bucket, and to store build images in Container Registry. For the default behavior, the service account needs access to buckets named "gcf-sources-*". This can be accomplished by adding an IAM condition to the role grant such as:(resource.type == "storage.googleapis.com/Object" && (resource.name.startsWith("gcf-sources-")))
roles/storage.objectAdmin
— Required for container registry (now deprecated). It needs access to buckets named*.artifacts.PROJECT_ID.appspot.com
is needed to access the container registry.
Grant the following roles using the Google Cloud CLI, or use Google Cloud console.
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=serviceAccount:SA_EMAIL \
--role=roles/logging.logWriter
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=serviceAccount:SA_EMAIL \
--role=roles/artifactregistry.writer
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=serviceAccount:SA_EMAIL \
--role=roles/storage.objectViewer
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=serviceAccount:SA_EMAIL \
--role=roles/storage.objectAdmin
Replace the following:
- PROJECT_ID: Your Google Cloud project ID.
- SA_EMAIL: The email address of your service account.
Deploy a function with a custom service account
You can use the Google Cloud CLI to deploy a function that uses a custom service account for Cloud Build:
- The
--build-service-account
flag specifies an IAM service account whose credentials will be used for the build step. If a custom service account is not provided, the function uses the project's default service account for Cloud Build. - You can optionally use a
private pool,
which you specify using the
--build-worker-pool
flag.
gcloud functions deploy FUNCTION_NAME \
--no-gen2 \
--region=REGION \
--project=PROJECT_ID \
--runtime=RUNTIME \
--entry-point=CODE_ENTRYPOINT \
--build-service-account=projects/PROJECT_ID/serviceAccounts/SA_EMAIL \
--memory=256Mi \
--trigger-http \
--source=.
Replace the following:
- FUNCTION_NAME: The name under which you deployed your function.
- REGION: The name of the Google Cloud region where you want to deploy your function
(for example,
us-west1
). - PROJECT_ID: Your Google Cloud project ID.
- RUNTIME: The runtime ID of a
supported runtime version to run
your function, for example,
nodejs18
. - CODE_ENTRYPOINT: The entry point to your function in your source code. This is the code that will be executed when your function runs.
- SA_EMAIL: The email address of your service account.