Authorize access with IAM (1st gen)
You use Identity and Access Management (IAM) to authorize identities to perform administrative actions on your functions, like creating, updating, and deleting them. You add principals (the identities you wish to enable, usually a user or service account email) to the function and then grant those principals the appropriate IAM roles. These roles include permissions that define the actions they are allowed to do.
Enabling access to a function
You can control actions on a function by granting or restricting roles to individual identities through IAM.
Adding principals and granting roles
Console
Go to the Google Cloud console:
Click the checkbox next to the function in which you are interested.
Click Permissions at the top of the screen. The Permissions panel opens.
Click Add principal.
In the New principals field, enter one or more identities that need access to your function. This is usually a user or service account email.
Select a role (or roles) from the Select a role drop-down menu. The roles you select appear in the pane with a short description of the permissions they grant.
Click Save.
gcloud
Use the gcloud functions add-iam-policy-binding
command:
gcloud functions add-iam-policy-binding FUNCTION_NAME \ --member=PRINCIPAL_ID \ --role=ROLE
where FUNCTION_NAME
is the function name,
PRINCIPAL_ID
is the principal's identifier, usually an email, and
ROLE
is the role.
For a list of sources that can provide a PRINCIPAL_ID
, see
the IAM concepts page.
For a list of acceptable values for ROLE
, see
the Cloud Run functions IAM Roles reference page.
Removing roles from principals
Console
Go to the Google Cloud console:
Click the checkbox next to the function in which you are interested.
Click Permissions at the top of the screen. The Permissions panel opens.
Search for the principal you want to remove. Look in every role the principal has been granted.
When you find the principal in the role you wish to delete, click the trash can icon next to it. If you wish to completely remove the principal's access, do this for every role the principal has been granted.
gcloud
Use the gcloud functions remove-iam-policy-binding
command:
gcloud functions remove-iam-policy-binding FUNCTION_NAME \ --member=PRINCIPAL_ID \ --role=ROLE
where FUNCTION_NAME
is the function name,
PRINCIPAL_ID
is the email address that identifies
the service account, prefaced with serviceAccount:
,
and ROLE
is the role.
For a list of acceptable sources for PRINCIPAL_ID
, see
the IAM concepts page.
For a list of possible values for ROLE
, see
the Cloud Run functions IAM Roles reference page.
If the principal has been granted multiple roles, make sure you specify the one you wish to remove.
Bulk addition of principals
Console
Go to the Google Cloud console:
Click the checkboxes next to the functions on which you want to grant or restrict access.
Click Permissions at the top of the screen. The Permissions panel opens.
To add principals:
Click Add principal.
In the New principals field, enter multiple identities that need access to your function.
Select a role (or roles) from the Select a role drop-down menu. The roles you select appear in the pane with a short description of the permissions they grant.
Click Save.
gcloud
Create an IAM policy named, for example, policy.json
:
{ "bindings": [ { "role": ROLE, "members": [ PRINCIPAL_ID ] } ] }
Use the gcloud functions set-iam-policy
command:
gcloud functions set-iam-policy FUNCTION_NAME policy.json
For a list of acceptable sources for PRINCIPAL_ID
, see
the IAM concepts page.
For a list of acceptable values for ROLE
, see
the Cloud Run functions IAM Roles reference page.
Viewing principals
Console
Go to the Google Cloud console:
Click the name of the function you are interested in.
Select the Permissions tab. The Permissions panel opens.
Select the View by principals tab to view a list of all principals with permissions on the selected function.
gcloud
Use the gcloud functions get-iam-policy
command:
gcloud functions get-iam-policy FUNCTION_NAME
Allowing unauthenticated HTTP function invocation
As of January 15, 2020, HTTP functions without Allow unauthenticated invocations enabled restrict access to end users and service accounts that don't have appropriate permissions.
To allow unauthenticated invocations you must specify this at or after deployment.
You use a special variant of the approach described earlier to grant unauthenticated invokers the ability to invoke an HTTP function.
At deployment
Console
Select Allow unauthenticated invocations in the Authentication section in the Trigger panel.
gcloud
The gcloud functions deploy
command includes a prompt to
help you configure invocation permissions during function creation. It can also
include the --allow-unauthenticated
flag:
gcloud functions deploy FUNCTION_NAME \ --no-gen2 \ --trigger-http \ --allow-unauthenticated \ ...
Subsequent deployments of the same function do not change its status, even if you do not use this flag.
After deployment
To allow unauthenticated invocation of a function, grant the
Cloud Functions Invoker role to the special allUsers
principal on the
function:
Console
Go to the Google Cloud console:
Click the checkbox next to the receiving function. (Don't click on the function itself.)
Click Permissions at the top of the screen. The Permissions panel opens.
Click Add principal.
In the New principals field, type
allUsers
.Select the role Cloud Functions > Cloud Functions Invoker from the Select a role drop-down menu.
In response to the dialog, click Allow public access.
gcloud
Use the gcloud functions add-iam-policy-binding
command to grant the
roles/cloudfunctions.invoker
role to the special allUsers
principal on
the function:
gcloud functions add-iam-policy-binding FUNCTION_NAME \ --member="allUsers" \ --role="roles/cloudfunctions.invoker"
See the
gcloud functions add-iam-policy-binding
reference
for more information about these fields.
Domain Restricted Sharing
If you are developing functions in a project that is subject to the Domain Restricted Sharing organization policy you will be unable to allow unauthenticated invocation of a function. This policy restricts public data sharing to reduce the risk of data exfiltration.
If you wish to deploy functions that permit unauthenticated invocation, we recommend that you remove the Domain Restricted Sharing organization policy on the project. Organization policies can be set at the organization, folder or project level.
Once you have created your function(s) that allow unauthenticated invocation, the organization policy can be re-enabled:
- Functions deployed before the organization policy has been re-enabled will continue to allow unauthenticated invocation.
- New versions of these existing functions can be deployed without requiring authenticated invocation.
- New functions that permit unauthenticated invocations cannot be deployed.
Controlling access on all functions in a project
If you want to grant roles on all functions in a project, you can grant these roles on the project.