Access Control

You can set access control using roles at the project level. Assign a role to a project member or service account to determine the level of access to your Google Cloud Platform project and its resources. By default, all Google Cloud Platform projects come with a single user: the original project creator. No other users have access to the project, and therefore, access to functions, until a user is added as a project team member.

Access control for users

You can add users as team members to your project and assign them roles using Identity and Access Management (IAM).

Cloud Functions supports the primitive roles Editor, Owner, and Viewer, which grant the following permissions:

  • Editor and Owner: Read and write access to all functions-related resources. Allows users to deploy, update, and delete functions. Additional access to other resources in the project.
  • Viewer: Read-only access to functions and locations. Allows users to list functions and see their details, but does not allow them to view the source code. Additional access to other resources in the project.

Cloud Functions also supports the Cloud Functions curated roles Developer and Viewer, which grant the following permissions:

  • Developer: Read and write access to all functions-related resources. Allows users to deploy, update, and delete functions. No access to other resources in the project.
  • Viewer: Read-only access to functions and locations. Allows users to list functions and see their details, but does not allow them to view the source code. No access to other resources in the project.

Runtime service account

At runtime, Cloud Functions uses the service account PROJECT_ID@appspot.gserviceaccount.com, which has the Editor role on the project. You can change the roles of this service account to limit or extend the permissions for your running functions.

To learn more about service accounts, see the Service Accounts documentation.

Cloud Functions service account

For administrative actions on your project during the creation, updating, or deletion of functions, the Cloud Functions service uses a per-project, Cloud Functions service account service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com.

By default, this service account has the cloudfunctions.serviceAgent role on your project. Creating, updating, and deleting functions may fail if you change this account's permissions.

The cloudfunctions.serviceAgent role has the following permissions:

Permission Description
pubsub.subscriptions.* Manage subscriptions in the user's project.
pubsub.topics.create Create a new topic once a function is deployed.
pubsub.topics.attachSubscription Attach subscription to an existing topic.
pubsub.topics.get Get the existing topic on which the function should be triggered.
iam.serviceAccounts.actAs Run the function as the runtime service account.
iam.serviceAccounts.{getAccessToken, signBlob} Ability to get runtime service account credentials.
resourcemanager.projects.getIamPolicy Determine the function origin.
firebasedatabase.instances.{get, update} Create functions triggered by the Firebase Realtime Database.
storage.buckets.{get, update},
resourcemanager.projects.get
Create functions triggered by a Cloud Storage bucket.

You can reset this service account to the default role by re-enabling the Cloud Functions API:

gcloud services enable cloudfunctions.googleapis.com

Troubleshooting permission errors

If you get permission errors when you deploy, update, delete, or execute functions in your project, make sure that:

  • You have the Editor or Owner role on your project, or are using the Cloud Functions Developer role. If you are using the Cloud Functions Developer role, ensure that you have granted the user the IAM Service Account User role.
  • The Cloud Functions service account (service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com) has the cloudfunctions.serviceAgent role on your project.
  • You have permissions for trigger sources, such as Pub/Sub or the Cloud Storage bucket triggering your function.

If you get an ”insufficient permissions” error, or have other authentication problems when you run your functions, make sure that the runtime service account has the correct permissions to access the resources your functions need and then follow steps 2 and 3 above.

If you get a ”service unavailable” error during deployment, make sure that the runtime service account PROJECT_ID@appspot.gserviceaccount.com exists in your project. This thread on Stack Overflow discusses how to recreate this service account if it was deleted.

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Functions Documentation