You can set access control using roles at the project level. Assign a role to a project member or service account to determine the level of access to your Google Cloud Platform project and its resources. By default, all Google Cloud Platform projects come with a single user: the original project creator. No other users have access to the project, and therefore, access to functions, until a user is added as a project team member.
Access control for users
You can add users as team members to your project and assign them roles using Identity and Access Management (IAM).
Cloud Functions provides two custom roles:
- Cloud Functions developer: Read and write access to all functions-related resources. Allows users to deploy, update, and delete functions.
- Cloud Functions viewer: Read-only access to functions and locations. Allows users to list functions and see their details, but does not allow them to view the source code.
In addition, Cloud Functions supports primitive roles. The primitive roles Editor and Owner include all the capabilities of the custom Cloud Functions developer role. The primitive Viewer role includes all the capabilities of the custom Cloud Functions viewer role, and additionally allows for viewing the source code of functions.
Runtime service account
At runtime, Cloud Functions uses the service account
PROJECT_ID@appspot.gserviceaccount.com, which by default has the Editor
role on the project. You can change the roles of this service account to
limit or extend the permissions for your running functions.
To learn more about service accounts, see the Service Accounts documentation.
Google APIs service account
For administrative actions on your project during the creation, updating, or
deletion of functions, the Cloud Functions service uses the Google APIs service
PROJECT_NUMBER@cloudservices.gserviceaccount.com. By default, this
service account has the Editor role on your project. Creating, updating, and
deleting functions may fail if you reduce this account's permissions.
An example of an administrative action is creating a internal subscription to a Pub/Sub topic when you deploy a function triggered by that topic.
Troubleshooting permission errors
If you get permission errors when you deploy, update, or delete functions in your project, make sure that:
- You have the Cloud Functions developer, Editor, or Owner role on your project.
- The Google APIs service account
PROJECT_NUMBER@cloudservices.gserviceaccount.com) has the Editor role on your project.
- You have permissions for trigger sources, such as Pub/Sub or the Cloud Storage bucket triggering your function.
If you get an "insufficient permissions" error when you run your functions,
make sure that the
PROJECT_ID@appspot.gserviceaccount.com service account has
the correct permissions.