You can set access control using roles at the project level. Assign a role to a project member or service account to determine the level of access to your Google Cloud Platform project and its resources. By default, all Google Cloud Platform projects come with a single user: the original project creator. No other users have access to the project, and therefore, access to functions, until a user is added as a project team member.
Access control for users
To give users the ability to create and manage your functions, you can add users as team members to your project and grant them permissions using Identity and Access Management (IAM) roles. Cloud Functions currently only supports primitive roles.
Primitive IAM roles
For Cloud Functions, a project member's role also controls the permissible actions in the gcloud beta functions commands that are used to deploy and manage applications. Each Primitive IAM role is listed with its permission, as follows:
| Role | Google Cloud Platform Permissions |
|---|---|
| Owner | All viewer and editor privileges, plus the ability to view deployed source code, invite users, change user roles, and delete an application. Has admin privileges to all resources in the project. |
| Editor | View function information and edit function settings. Has admin privileges to all resources in the project. |
| Viewer | View function information. Has admin privileges to all resources in the project. |
Using service accounts
Functions have the Editor role on the project at runtime. Reducing the permissions of the service account representing the identity of the function is not supported.
To learn more about service accounts, please read the Service Accounts documentation.
