Cloud Functions IAM Roles

Curated roles

The following table describes Identity and Access Management (IAM) roles that are associated with Cloud Functions, and lists the permissions that are contained in each role.

Roles can be granted to users on an entire project or on individual functions.

Role	Description	Permissions
`roles/cloudfunctions.developer`	Can create, update, and delete functions. Can't set IAM policies but can view source code. Requires additional configuration in order to deploy functions.	`cloudfunctions.functions.call` `cloudfunctions.functions.create` `cloudfunctions.functions.delete` `cloudfunctions.functions.get` `cloudfunctions.functions.invoke` `cloudfunctions.functions.list` `cloudfunctions.functions.update` `cloudfunctions.functions.sourceCodeGet` `cloudfunctions.functions.sourceCodeSet` `cloudfunctions.operations.get` `cloudfunctions.operations.list` `cloudfunctions.locations.list` `resourcemanager.projects.get` `servicemanagement.projectSettings.get` `serviceusage.services.get`
`roles/cloudfunctions.viewer`	Can view functions. Can't get IAM policies or view source code.	`cloudfunctions.functions.get` `cloudfunctions.functions.list` `cloudfunctions.operations.get` `cloudfunctions.operations.list` `cloudfunctions.locations.list` `resourcemanager.projects.get` `servicemanagement.projectSettings.get` `serviceusage.services.get`

Custom roles

For developers that want to define their own roles containing bundles of permissions that they specify, IAM offers custom roles.

If the role contains permissions that let a developer deploy functions, then you must perform the additional configuration below.

Additional configuration for deployment

In order to assign a user the Cloud Functions Developer role (roles/cloudfunctions.developer) or a custom role that can deploy functions, you must also assign the user the IAM Service Account User role (roles/iam.serviceAccountUser) on the Cloud Functions Runtime service account.

Console

Go to the Google Cloud Platform Console:
Go to Google Cloud Platform Console
Select the Runtime Service Account (PROJECT_ID@appspot.gserviceaccount.com) from the table.
Click Show Info Panel in the top right corner to show the Permissions tab.
Click the Add member button.
Enter the member (e.g. user or group email) that that matches the member you're granting the Admin or Developer role to.
Grant the roles/iam.serviceAccountUser role under Service Accounts > Service Account user in the Select a role dropdown.
Click Save.

GCloud

Use the gcloud iam service-accounts add-iam-policy-binding command, replacing [VALUES_IN_BRACKETS] with appropriate values:

gcloud iam service-accounts add-iam-policy-binding \
  PROJECT_ID@appspot.gserviceaccount.com \
  --member="[MEMBER]" \
  --role="roles/iam.serviceAccountUser"

Was this page helpful? Let us know how we did:

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see our Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated April 12, 2019.