Stay organized with collections Save and categorize content based on your preferences.

Cloud Functions IAM Roles

Predefined roles

The following table describes Identity and Access Management (IAM) roles that are associated with Cloud Functions, and lists the permissions that are contained in each role.

Roles can be granted to users on an entire project or on individual functions. Read Managing Access via IAM to learn more.

Cloud Functions roles

Role Permissions

(roles/cloudfunctions.admin)

Full access to functions, operations and locations.

Contains 9 owner permissions

cloudbuild.builds.get

cloudbuild.builds.list

cloudfunctions.*

  • cloudfunctions.functions.call
  • cloudfunctions.functions.create
  • cloudfunctions.functions.delete
  • cloudfunctions.functions.get
  • cloudfunctions.functions.getIamPolicy
  • cloudfunctions.functions.invoke
  • cloudfunctions.functions.list
  • cloudfunctions.functions.setIamPolicy
  • cloudfunctions.functions.sourceCodeGet
  • cloudfunctions.functions.sourceCodeSet
  • cloudfunctions.functions.update
  • cloudfunctions.locations.get
  • cloudfunctions.locations.list
  • cloudfunctions.operations.get
  • cloudfunctions.operations.list
  • cloudfunctions.runtimes.list

eventarc.*

  • eventarc.channelConnections.create
  • eventarc.channelConnections.delete
  • eventarc.channelConnections.get
  • eventarc.channelConnections.getIamPolicy
  • eventarc.channelConnections.list
  • eventarc.channelConnections.publish
  • eventarc.channelConnections.setIamPolicy
  • eventarc.channels.attach
  • eventarc.channels.create
  • eventarc.channels.delete
  • eventarc.channels.get
  • eventarc.channels.getIamPolicy
  • eventarc.channels.list
  • eventarc.channels.publish
  • eventarc.channels.setIamPolicy
  • eventarc.channels.undelete
  • eventarc.channels.update
  • eventarc.events.receiveAuditLogWritten
  • eventarc.events.receiveEvent
  • eventarc.googleChannelConfigs.get
  • eventarc.googleChannelConfigs.update
  • eventarc.locations.get
  • eventarc.locations.list
  • eventarc.operations.cancel
  • eventarc.operations.delete
  • eventarc.operations.get
  • eventarc.operations.list
  • eventarc.providers.get
  • eventarc.providers.list
  • eventarc.triggers.create
  • eventarc.triggers.delete
  • eventarc.triggers.get
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • eventarc.triggers.setIamPolicy
  • eventarc.triggers.undelete
  • eventarc.triggers.update

recommender.locations.*

  • recommender.locations.get
  • recommender.locations.list

recommender.runServiceIdentityInsights.*

  • recommender.runServiceIdentityInsights.get
  • recommender.runServiceIdentityInsights.list
  • recommender.runServiceIdentityInsights.update

recommender.runServiceIdentityRecommendations.*

  • recommender.runServiceIdentityRecommendations.get
  • recommender.runServiceIdentityRecommendations.list
  • recommender.runServiceIdentityRecommendations.update

recommender.runServiceSecurityInsights.*

  • recommender.runServiceSecurityInsights.get
  • recommender.runServiceSecurityInsights.list
  • recommender.runServiceSecurityInsights.update

recommender.runServiceSecurityRecommendations.*

  • recommender.runServiceSecurityRecommendations.get
  • recommender.runServiceSecurityRecommendations.list
  • recommender.runServiceSecurityRecommendations.update

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

run.*

  • run.configurations.get
  • run.configurations.list
  • run.executions.delete
  • run.executions.get
  • run.executions.list
  • run.jobs.create
  • run.jobs.delete
  • run.jobs.get
  • run.jobs.getIamPolicy
  • run.jobs.list
  • run.jobs.run
  • run.jobs.setIamPolicy
  • run.jobs.update
  • run.locations.list
  • run.operations.delete
  • run.operations.get
  • run.operations.list
  • run.revisions.delete
  • run.revisions.get
  • run.revisions.list
  • run.routes.get
  • run.routes.invoke
  • run.routes.list
  • run.services.create
  • run.services.createTagBinding
  • run.services.delete
  • run.services.deleteTagBinding
  • run.services.get
  • run.services.getIamPolicy
  • run.services.list
  • run.services.listEffectiveTags
  • run.services.listTagBindings
  • run.services.setIamPolicy
  • run.services.update
  • run.tasks.get
  • run.tasks.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/cloudfunctions.developer)

Read and write access to all functions-related resources.

cloudbuild.builds.get

cloudbuild.builds.list

cloudfunctions.functions.call

cloudfunctions.functions.create

cloudfunctions.functions.delete

cloudfunctions.functions.get

cloudfunctions.functions.invoke

cloudfunctions.functions.list

cloudfunctions.functions.sourceCodeGet

cloudfunctions.functions.sourceCodeSet

cloudfunctions.functions.update

cloudfunctions.locations.*

  • cloudfunctions.locations.get
  • cloudfunctions.locations.list

cloudfunctions.operations.*

  • cloudfunctions.operations.get
  • cloudfunctions.operations.list

cloudfunctions.runtimes.list

eventarc.channelConnections.create

eventarc.channelConnections.delete

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channelConnections.publish

eventarc.channels.attach

eventarc.channels.create

eventarc.channels.delete

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.channels.publish

eventarc.channels.undelete

eventarc.channels.update

eventarc.googleChannelConfigs.*

  • eventarc.googleChannelConfigs.get
  • eventarc.googleChannelConfigs.update

eventarc.locations.*

  • eventarc.locations.get
  • eventarc.locations.list

eventarc.operations.*

  • eventarc.operations.cancel
  • eventarc.operations.delete
  • eventarc.operations.get
  • eventarc.operations.list

eventarc.triggers.create

eventarc.triggers.delete

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

eventarc.triggers.undelete

eventarc.triggers.update

recommender.locations.*

  • recommender.locations.get
  • recommender.locations.list

recommender.runServiceIdentityInsights.*

  • recommender.runServiceIdentityInsights.get
  • recommender.runServiceIdentityInsights.list
  • recommender.runServiceIdentityInsights.update

recommender.runServiceIdentityRecommendations.*

  • recommender.runServiceIdentityRecommendations.get
  • recommender.runServiceIdentityRecommendations.list
  • recommender.runServiceIdentityRecommendations.update

recommender.runServiceSecurityInsights.*

  • recommender.runServiceSecurityInsights.get
  • recommender.runServiceSecurityInsights.list
  • recommender.runServiceSecurityInsights.update

recommender.runServiceSecurityRecommendations.*

  • recommender.runServiceSecurityRecommendations.get
  • recommender.runServiceSecurityRecommendations.list
  • recommender.runServiceSecurityRecommendations.update

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

run.configurations.*

  • run.configurations.get
  • run.configurations.list

run.executions.*

  • run.executions.delete
  • run.executions.get
  • run.executions.list

run.jobs.create

run.jobs.delete

run.jobs.get

run.jobs.getIamPolicy

run.jobs.list

run.jobs.run

run.jobs.update

run.locations.list

run.operations.*

  • run.operations.delete
  • run.operations.get
  • run.operations.list

run.revisions.*

  • run.revisions.delete
  • run.revisions.get
  • run.revisions.list

run.routes.*

  • run.routes.get
  • run.routes.invoke
  • run.routes.list

run.services.create

run.services.delete

run.services.get

run.services.getIamPolicy

run.services.list

run.services.listEffectiveTags

run.services.listTagBindings

run.services.update

run.tasks.*

  • run.tasks.get
  • run.tasks.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

(roles/cloudfunctions.invoker)

Ability to invoke HTTP functions with restricted access.

cloudfunctions.functions.invoke

(roles/cloudfunctions.viewer)

Read-only access to functions and locations.

cloudbuild.builds.get

cloudbuild.builds.list

cloudfunctions.functions.get

cloudfunctions.functions.list

cloudfunctions.locations.*

  • cloudfunctions.locations.get
  • cloudfunctions.locations.list

cloudfunctions.operations.*

  • cloudfunctions.operations.get
  • cloudfunctions.operations.list

cloudfunctions.runtimes.list

eventarc.channelConnections.get

eventarc.channelConnections.getIamPolicy

eventarc.channelConnections.list

eventarc.channels.get

eventarc.channels.getIamPolicy

eventarc.channels.list

eventarc.googleChannelConfigs.get

eventarc.locations.*

  • eventarc.locations.get
  • eventarc.locations.list

eventarc.operations.get

eventarc.operations.list

eventarc.providers.*

  • eventarc.providers.get
  • eventarc.providers.list

eventarc.triggers.get

eventarc.triggers.getIamPolicy

eventarc.triggers.list

recommender.locations.*

  • recommender.locations.get
  • recommender.locations.list

recommender.runServiceIdentityInsights.get

recommender.runServiceIdentityInsights.list

recommender.runServiceIdentityRecommendations.get

recommender.runServiceIdentityRecommendations.list

recommender.runServiceSecurityInsights.get

recommender.runServiceSecurityInsights.list

recommender.runServiceSecurityRecommendations.get

recommender.runServiceSecurityRecommendations.list

remotebuildexecution.blobs.get

resourcemanager.projects.get

resourcemanager.projects.list

run.configurations.*

  • run.configurations.get
  • run.configurations.list

run.executions.get

run.executions.list

run.jobs.get

run.jobs.getIamPolicy

run.jobs.list

run.locations.list

run.operations.get

run.operations.list

run.revisions.get

run.revisions.list

run.routes.get

run.routes.list

run.services.get

run.services.getIamPolicy

run.services.list

run.services.listEffectiveTags

run.services.listTagBindings

run.tasks.*

  • run.tasks.get
  • run.tasks.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

Custom roles

For developers that want to define their own roles containing bundles of permissions that they specify, IAM offers custom roles.

If the role contains permissions that let a developer deploy functions, then you must perform the additional configuration in the next section.

Additional configuration for deployment

In order to assign a user the Cloud Functions Admin (roles/cloudfunctions.admin) or Cloud Functions Developer role (roles/cloudfunctions.developer) or a custom role that can deploy functions, you must also assign the user the Service Account User IAM role (roles/iam.serviceAccountUser) on the Cloud Functions runtime service account.

Console

  1. Go to the Google Cloud console:

    Go to Google Cloud console

  2. Select a project to display the runtime service accounts associated with it.

  3. Select the desired runtime service account from the Email column in the table:

    • For 1st gen, the default runtime service account is PROJECT_ID@appspot.gserviceaccount.com.
    • For 2nd gen, the default runtime service account is PROJECT_NUMBER-compute@developer.gserviceaccount.com.

  4. Display the Permissions tab.

  5. Click Grant Access.

  6. Enter the member (for example, user or group email) that you're granting the Admin or Developer role to.

  7. Under Assign Roles > Role, choose Service Accounts > Service Account User.

  8. Click Save.

gcloud

1st gen:

gcloud iam service-accounts add-iam-policy-binding \
    PROJECT_ID@appspot.gserviceaccount.com \
    --member MEMBER \
    --role roles/iam.serviceAccountUser

2nd gen:

gcloud iam service-accounts add-iam-policy-binding \
    PROJECT_NUMBER-compute@developer.gserviceaccount.com \
    --member MEMBER \
    --role roles/iam.serviceAccountUser