Cloud Functions IAM Roles
Predefined roles
The following table describes Identity and Access Management (IAM) roles that are associated with Cloud Functions, and lists the permissions that are contained in each role.
Roles can be granted to users on an entire project or on individual functions. Read Managing Access via IAM to learn more.
Cloud Functions roles
Role | Permissions |
---|---|
Cloud Functions Admin( Full access to functions, operations and locations. |
cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.*
eventarc.*
recommender.locations.*
recommender.
recommender.
recommender.
recommender.
remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list run.*
serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Cloud Functions Developer( Read and write access to all functions-related resources. |
cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.functions.call cloudfunctions. cloudfunctions. cloudfunctions.functions.get cloudfunctions. cloudfunctions.functions.list cloudfunctions. cloudfunctions. cloudfunctions. cloudfunctions.locations.*
cloudfunctions.operations.*
cloudfunctions.runtimes.list eventarc. eventarc. eventarc. eventarc. eventarc. eventarc. eventarc.channels.attach eventarc.channels.create eventarc.channels.delete eventarc.channels.get eventarc.channels.getIamPolicy eventarc.channels.list eventarc.channels.publish eventarc.channels.undelete eventarc.channels.update
eventarc.
eventarc.locations.*
eventarc.operations.*
eventarc.providers.*
eventarc.triggers.create eventarc.triggers.delete eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list eventarc.triggers.undelete eventarc.triggers.update recommender.locations.*
recommender.
recommender.
recommender.
recommender.
remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list run.configurations.*
run.executions.*
run.jobs.create run.jobs.delete run.jobs.get run.jobs.getIamPolicy run.jobs.list run.jobs.run run.jobs.runWithOverrides run.jobs.update run.locations.list run.operations.*
run.revisions.*
run.routes.*
run.services.create run.services.delete run.services.get run.services.getIamPolicy run.services.list run.services.listEffectiveTags run.services.listTagBindings run.services.update run.tasks.*
serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Cloud Functions Invoker( Ability to invoke HTTP functions with restricted access. |
cloudfunctions. |
Cloud Functions Viewer( Read-only access to functions and locations. |
cloudbuild.builds.get cloudbuild.builds.list cloudfunctions.functions.get cloudfunctions. cloudfunctions.functions.list cloudfunctions.locations.*
cloudfunctions.operations.*
cloudfunctions.runtimes.list eventarc. eventarc. eventarc. eventarc.channels.get eventarc.channels.getIamPolicy eventarc.channels.list eventarc. eventarc.locations.*
eventarc.operations.get eventarc.operations.list eventarc.providers.*
eventarc.triggers.get eventarc.triggers.getIamPolicy eventarc.triggers.list recommender.locations.*
recommender. recommender. recommender. recommender. recommender. recommender. recommender. recommender. remotebuildexecution.blobs.get resourcemanager.projects.get resourcemanager.projects.list run.configurations.*
run.executions.get run.executions.list run.jobs.get run.jobs.getIamPolicy run.jobs.list run.locations.list run.operations.get run.operations.list run.revisions.get run.revisions.list run.routes.get run.routes.list run.services.get run.services.getIamPolicy run.services.list run.services.listEffectiveTags run.services.listTagBindings run.tasks.*
serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Custom roles
For developers that want to define their own roles containing bundles of permissions that they specify, IAM offers custom roles.
If the role contains permissions that let a developer deploy functions, then you must perform the additional configuration in the next section.
Additional configuration for deployment
In order to assign a user the Cloud Functions Admin
(roles/cloudfunctions.admin
) or Cloud Functions Developer role
(roles/cloudfunctions.developer
) or a custom role that can deploy functions,
you must also assign the user the Service Account User IAM role
(roles/iam.serviceAccountUser
) on the Cloud Functions
runtime service account.
Console
Go to the Google Cloud console:
Select a project to display the runtime service accounts associated with it.
Select the desired runtime service account from the Email column in the table:
- For 1st gen, the default runtime service account is
PROJECT_ID@appspot.gserviceaccount.com
. - For 2nd gen, the default runtime service account is
PROJECT_NUMBER-compute@developer.gserviceaccount.com
.
- For 1st gen, the default runtime service account is
Display the Permissions tab.
Click Grant Access.
Enter the member (for example, user or group email) that you're granting the Admin or Developer role to.
Under Assign Roles > Role, choose Service Accounts > Service Account User.
Click Save.
gcloud
1st gen:
gcloud iam service-accounts add-iam-policy-binding \ PROJECT_ID@appspot.gserviceaccount.com \ --member MEMBER \ --role roles/iam.serviceAccountUser
2nd gen:
gcloud iam service-accounts add-iam-policy-binding \ PROJECT_NUMBER-compute@developer.gserviceaccount.com \ --member MEMBER \ --role roles/iam.serviceAccountUser
Optional permissions for Cloud Functions users
The following optional permissions can be considered when configuring accounts with minimal permission set:
monitoring.timeSeries.list
on the project level. Typically assigned through theroles/monitoring.viewer
role. It allows user to access metrics generated by their function. For more information, go to the Stackdriver documentation for Access Control.logging.logEntries.list
on the project level. Typically assigned through theroles/logging.viewer
role. It allows user to access logs generated by their function. For more information, go to the Access Control guide in the Stackdriver Logging documentation.