Cloud Functions IAM Roles
Predefined roles
The following table describes Identity and Access Management (IAM) roles that are associated with Cloud Run functions (formerly known as Cloud Functions), and lists the permissions that are contained in each role.
Roles can be granted to users on an entire project or on individual functions. Read Managing Access via IAM to learn more.
Cloud Functions roles
Role | Permissions |
---|---|
Cloud Functions Admin( Full access to functions, operations and locations. |
|
Cloud Functions Developer( Read and write access to all functions-related resources. |
|
Cloud Functions Invoker( Ability to invoke 1st gen HTTP functions with restricted access. 2nd gen functions need the Cloud Run Invoker role instead. |
|
Cloud Functions Viewer( Read-only access to functions and locations. |
|
Custom roles
For developers that want to define their own roles containing bundles of permissions that they specify, IAM offers custom roles.
If the role contains permissions that let a developer deploy functions, then you must perform the additional configuration in the next section.
Additional configuration for deployment
You use Identity and Access Management to authorize identities to perform
administrative actions on functions created using the
Cloud Functions v2 API—for example, using
gcloud functions
, the REST API, or Terraform. Administration actions include
creating, updating, and deleting functions. For more information, see
Authorize access with IAM.
To deploy Cloud Run functions that were created with the Cloud Functions v1 API or v2 API, ask your administrator to grant you one of the following IAM roles:
- Cloud Functions
Admin role
(
roles/cloudfunctions.admin
) - Cloud Functions
Developer role
(
roles/cloudfunctions.developer
) - A custom role that has the required permissions for deploying functions
You must also grant the runtime service account and the Cloud Build service account the following role:
- Service Account User
IAM role
(roles/iam.serviceAccountUser
)
These configurations don't impact the custom Cloud Build service account or the permissions required to build a function. For more information, see Build process overview.
Console
Go to the Google Cloud console:
Select a project to display the runtime service accounts associated with it.
Select a runtime service account from the Email column in the table:
- For Cloud Run functions (1st gen), the default runtime service account is
PROJECT_ID@appspot.gserviceaccount.com
. - For Cloud Run functions, the default runtime service account is
PROJECT_NUMBER-compute@developer.gserviceaccount.com
.
- For Cloud Run functions (1st gen), the default runtime service account is
Display the Permissions tab.
Click Grant Access.
Enter the member (for example, user or group email) that you're granting the Admin or Developer role to.
Under Assign Roles > Role, choose Service Accounts > Service Account User.
Click Save.
gcloud
Cloud Run functions (1st gen):
gcloud iam service-accounts add-iam-policy-binding \ PROJECT_ID@appspot.gserviceaccount.com \ --member MEMBER \ --role roles/iam.serviceAccountUser
Cloud Run functions:
gcloud iam service-accounts add-iam-policy-binding \ PROJECT_NUMBER-compute@developer.gserviceaccount.com \ --member MEMBER \ --role roles/iam.serviceAccountUser
Optional permissions
The following optional permissions can be considered when configuring accounts with a minimal permission set:
monitoring.timeSeries.list
on the project level. Typically assigned through theroles/monitoring.viewer
role. It allows user to access metrics generated by their function. For more information, go to the Stackdriver documentation for Access Control.logging.logEntries.list
on the project level. Typically assigned through theroles/logging.viewer
role. It allows user to access logs generated by their function. For more information, go to the Access Control guide in the Stackdriver Logging documentation.