Curated roles
The following table describes Identity and Access Management (IAM) roles that are associated with Cloud Functions, and lists the permissions that are contained in each role.
Roles can be granted to users on an entire project or on individual functions.
Role | Description | Permissions |
---|---|---|
roles/cloudfunctions.admin |
Can create, update, and delete functions.Can set IAM policies and view source code.Requires additional configuration in order to deploy functions. | cloudfunctions.functions.call cloudfunctions.functions.create cloudfunctions.functions.delete cloudfunctions.functions.get cloudfunctions.functions.invoke cloudfunctions.functions.list cloudfunctions.functions.update cloudfunctions.functions.sourceCodeGet cloudfunctions.functions.sourceCodeSet cloudfunctions.functions.getIamPolicy cloudfunctions.functions.setIamPolicy cloudfunctions.operations.get cloudfunctions.operations.list cloudfunctions.locations.list resourcemanager.projects.get servicemanagement.projectSettings.get serviceusage.services.get |
roles/cloudfunctions.developer |
Can create, update, and delete functions.Can't set IAM policies but can view source code.Requires additional configuration in order to deploy functions. | cloudfunctions.functions.call cloudfunctions.functions.create cloudfunctions.functions.delete cloudfunctions.functions.get cloudfunctions.functions.invoke cloudfunctions.functions.list cloudfunctions.functions.update cloudfunctions.functions.sourceCodeGet cloudfunctions.functions.sourceCodeSet cloudfunctions.operations.get cloudfunctions.operations.list cloudfunctions.locations.list resourcemanager.projects.get servicemanagement.projectSettings.get serviceusage.services.get |
roles/cloudfunctions.viewer |
Can view functions.Can't get IAM policies or view source code. | cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.operations.get cloudfunctions.operations.list cloudfunctions.locations.list resourcemanager.projects.get servicemanagement.projectSettings.get serviceusage.services.get |
roles/cloudfunctions.invoker |
Can invoke functions.Can't perform any administrative actions on functions. | cloudfunctions.functions.invoke |
Custom roles
For developers that want to define their own roles containing bundles of permissions that they specify, IAM offers custom roles.
If the role contains permissions that let a developer deploy functions, then you must perform the additional configuration below.
Additional configuration for deployment
In order to assign a user the Cloud Functions Admin
(roles/cloudfunctions.admin
) or Cloud Functions Developer role
(roles/cloudfunctions.developer
) or a custom role that can deploy functions,
you must also assign the user the IAM Service Account User role
(roles/iam.serviceAccountUser
) on the Cloud Functions
Runtime service account.
Console
Go to the Google Cloud Console:
Select the Runtime Service Account (
PROJECT_ID@appspot.gserviceaccount.com
) from the table.Click Show Info Panel in the top right corner to show the Permissions tab.
Click the Add member button.
Enter the member (e.g. user or group email) you're granting the Admin or Developer role to.
Grant the
roles/iam.serviceAccountUser
role under Service Accounts > Service Account user in the Select a role dropdown.Click Save.
GCloud
gcloud iam service-accounts add-iam-policy-binding \ PROJECT_ID@appspot.gserviceaccount.com \ --member MEMBER \ --role roles/iam.serviceAccountUser