You can set access control using roles at the project level. Assign a role to a project member or service account to determine the level of access to your Google Cloud Platform project and its resources. By default, all Google Cloud Platform projects come with a single user: the original project creator. No other users have access to the project, and therefore, access to functions, until a user is added as a project team member.
Access control for users
You can add users as team members to your project and assign them roles using Identity and Access Management (IAM).
Cloud Functions supports the basic roles Editor, Owner, and Viewer, which grant the following permissions:
- Editor and Owner: Read and write access to all functions-related resources. Allows users to deploy, update, and delete functions. Additional access to other resources in the project.
- Viewer: Read-only access to functions and locations. Allows users to list functions and see their details, but does not allow them to view the source code. Additional access to other resources in the project.
Cloud Functions also supports the Cloud Functions curated roles Developer and Viewer, which grant the following permissions:
- Developer: Read and write access to all functions-related resources. Allows users to deploy, update, and delete functions. No access to other resources in the project.
- Viewer: Read-only access to functions and locations. Allows users to list functions and see their details, but does not allow them to view the source code. No access to other resources in the project.
Access control for service accounts
A service account is a special type of Google account that acts as an identity for a non-human user that needs to authenticate and be authorized to access data and perform various actions.
The following service accounts are used for all Cloud Functions runtimes:
| Name | Member ID | Role |
|---|---|---|
| App Engine default service account | PROJECT_ID@appspot.gserviceaccount.com |
Editor |
| Google Cloud Functions Service Agent | service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com |
Cloud Functions Service Agent |
In addition, for all runtimes except Node.js 8 and Go 1.11, the following service accounts are required:
| Name | Member ID | Role |
|---|---|---|
| — | PROJECT_NUMBER@cloudbuild.gserviceaccount.com |
Cloud Build Service Account |
| Cloud Build Service Account | service-PROJECT_NUMBER@gcp-sa-cloudbuild.iam.gserviceaccount.com |
Cloud Build Service Agent |
| Google Container Registry Service Agent | service-PROJECT_NUMBER@containerregistry.iam.gserviceaccount.com |
Container Registry Service Agent |
Runtime service accounts
At runtime, Cloud Functions defaults to using the App Engine default service
account (PROJECT_ID@appspot.gserviceaccount.com), which has the Editor
role on the project. You can change the roles of this service account to limit
or extend the permissions for your running functions. You can also change which
service account is used by
providing a non-default service account on a per-function basis.
To learn more about service accounts, see the Service Accounts documentation.
Administrative service accounts
In order to perform administrative actions on your project during the creation,
updating, or deletion of functions, all projects in Cloud Functions
require the Google Cloud Functions Service Agent service account
(service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com).
In addition, all runtimes except Node.js 8 and Go 1.11 carry out container image building and storage within your project. In this case, you also need to provision:
- The basic Cloud Build service account (
PROJECT_NUMBER@cloudbuild.gserviceaccount.com) - The Cloud Build Service Agent service account (
service-PROJECT_NUMBER@gcp-sa-cloudbuild.iam.gserviceaccount.com) - The Google Container Registry Service Agent service account (
service-PROJECT_NUMBER@containerregistry.iam.gserviceaccount.com)
These service accounts should have the roles listed in the table above.
Google Cloud Functions Service Agent service account
By default, the Google Cloud Functions Service Agent service account
(service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com has
the cloudfunctions.serviceAgent role on your project. Creating, updating,
and deleting functions may fail if you change this account's permissions.
The cloudfunctions.serviceAgent role has the following permissions:
| Permission | Description |
|---|---|
pubsub.subscriptions.* |
Manage subscriptions in the user's project. |
pubsub.topics.create |
Create a new topic once a function is deployed. |
pubsub.topics.attachSubscription |
Attach subscription to an existing topic. |
pubsub.topics.get |
Get the existing topic on which the function should be triggered. |
pubsub.subscriptions.get |
Get the subscription that triggers the function. |
pubsub.topics.list |
Required for checking the existence of Pub/Sub topic. |
iam.serviceAccounts.{getAccessToken, signBlob} |
Ability to get runtime service account credentials. |
iam.serviceAccounts.getOpenIdToken |
Needed for the agent to get an OpenID token on a user-specified authority. OpenID token is used for invoking IAM enabled functions. |
resourcemanager.projects.get |
Get the project details. |
resourcemanager.projects.getIamPolicy |
Determine the function origin. |
firebasedatabase.instances.{get, update} |
Create functions triggered by the Firebase Realtime Database. |
storage.buckets.{get, update} |
Configure notifications on a GCS bucket that will trigger a function. |
storage.buckets.create,storage.objects.{delete, get, create, list} |
Required for storing source code in user project. |
clientauthconfig.clients.list |
List OAuth clients of the project for IAM guarded HTTP function. |
cloudfunctions.functions.invoke |
Invoke a IAM guarded HTTP function. |
compute.globalOperations.get,compute.networks.access,vpcaccess.connectors.{get, use} |
Provision functions with access to the consumer projects VPC. |
cloudbuild.customworkers.builder |
Create builds in Cloud Build custom workers. |
cloudbuild.builds.editor,serviceusage.services.use |
Required to use Cloud Build to perform builds in user project. |
You can reset this service account to the default role by removing whatever role it currently has, and adding the Cloud Functions Service Agent role:
gcloud projects add-iam-policy-binding PROJECT_ID \ --member serviceAccount:service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com \ --role roles/cloudfunctions.serviceAgent
Troubleshooting permission errors
If you get permission errors when you deploy, update, delete, or execute functions in your project, perform the following steps:
- Make sure that you have the Editor or Owner role on your project, or
that you are using the Cloud Functions Developer role.
If you are using the Cloud Functions Developer role, also ensure that you have granted the user the IAM Service Account User role. - Verify that the Cloud Functions service account
(
service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com) has the cloudfunctions.serviceAgent role for your project. - Ensure that you have permissions for trigger sources, such as Pub/Sub or Cloud Storage.
If you get an ”insufficient permissions” error, or have other authentication problems when you run your functions, make sure that the runtime service account has the correct permissions to access the resources your functions need, then follow steps 2 and 3 above.
If you get a ”service unavailable” error during deployment, make
sure that the runtime service account PROJECT_ID@appspot.gserviceaccount.com
exists in your project. See undeleting a service account
to recreate this service account if it was deleted.
See also Troubleshooting Cloud Functions.