Cloud Functions IAM Roles

Predefined roles

The following table describes Identity and Access Management (IAM) roles that are associated with Cloud Functions, and lists the permissions that are contained in each role.

Roles can be granted to users on an entire project or on individual functions. Read Managing Access via IAM to learn more.

Cloud Functions roles

Role Title Description Permissions Lowest resource
roles/cloudfunctions.admin Cloud Functions Admin Full access to functions, operations and locations.
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudfunctions.*
  • eventarc.*
  • recommender.locations.*
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • run.*
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/cloudfunctions.developer Cloud Functions Developer Read and write access to all functions-related resources.
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudfunctions.functions.call
  • cloudfunctions.functions.create
  • cloudfunctions.functions.delete
  • cloudfunctions.functions.get
  • cloudfunctions.functions.invoke
  • cloudfunctions.functions.list
  • cloudfunctions.functions.sourceCodeGet
  • cloudfunctions.functions.sourceCodeSet
  • cloudfunctions.functions.update
  • cloudfunctions.locations.*
  • cloudfunctions.operations.*
  • eventarc.locations.*
  • eventarc.operations.*
  • eventarc.triggers.create
  • eventarc.triggers.delete
  • eventarc.triggers.get
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • eventarc.triggers.undelete
  • eventarc.triggers.update
  • recommender.locations.*
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • run.configurations.*
  • run.locations.*
  • run.revisions.*
  • run.routes.*
  • run.services.create
  • run.services.delete
  • run.services.get
  • run.services.getIamPolicy
  • run.services.list
  • run.services.update
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
roles/cloudfunctions.invoker Cloud Functions Invoker Ability to invoke HTTP functions with restricted access.
  • cloudfunctions.functions.invoke
roles/cloudfunctions.viewer Cloud Functions Viewer Read-only access to functions and locations.
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudfunctions.functions.get
  • cloudfunctions.functions.list
  • cloudfunctions.locations.*
  • cloudfunctions.operations.*
  • eventarc.locations.*
  • eventarc.operations.get
  • eventarc.operations.list
  • eventarc.triggers.get
  • eventarc.triggers.getIamPolicy
  • eventarc.triggers.list
  • recommender.locations.*
  • remotebuildexecution.blobs.get
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • run.configurations.*
  • run.locations.*
  • run.revisions.get
  • run.revisions.list
  • run.routes.get
  • run.routes.list
  • run.services.get
  • run.services.getIamPolicy
  • run.services.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

Custom roles

For developers that want to define their own roles containing bundles of permissions that they specify, IAM offers custom roles.

If the role contains permissions that let a developer deploy functions, then you must perform the additional configuration in the next section.

Additional configuration for deployment

In order to assign a user the Cloud Functions Admin (roles/cloudfunctions.admin) or Cloud Functions Developer role (roles/cloudfunctions.developer) or a custom role that can deploy functions, you must also assign the user the Service Account User IAM role (roles/iam.serviceAccountUser) on the Cloud Functions runtime service account.

Console

  1. Go to the Google Cloud Console:

    Go to Cloud Console

  2. Select the Runtime Service Account (PROJECT_ID@appspot.gserviceaccount.com) from the table.

  3. Click Manage Access.

  4. Click Add member.

  5. Enter the member (for example, user or group email) that you're granting the Admin or Developer role to.

  6. Grant the roles/iam.serviceAccountUser role under Service Accounts > Service Account user in the Select a role dropdown.

  7. Click Save.

gcloud

gcloud iam service-accounts add-iam-policy-binding \
    PROJECT_ID@appspot.gserviceaccount.com \
    --member MEMBER \
    --role roles/iam.serviceAccountUser