Package google.cloud.functions.v1

Index

CloudFunctionsService

A service that application uses to manipulate triggers and functions.

CallFunction

rpc CallFunction(CallFunctionRequest) returns (CallFunctionResponse)

Synchronously invokes a deployed Cloud Function. To be used for testing purposes as very limited traffic is allowed. For more information on the actual limits, refer to Rate Limits.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateFunction

rpc CreateFunction(CreateFunctionRequest) returns (Operation)

Creates a new function. If a function with the given name already exists in the specified project, the long running operation will return ALREADY_EXISTS error.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteFunction

rpc DeleteFunction(DeleteFunctionRequest) returns (Operation)

Deletes a function with the given name from the specified project. If the given function is used by some trigger, the trigger will be updated to remove this function.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GenerateDownloadUrl

rpc GenerateDownloadUrl(GenerateDownloadUrlRequest) returns (GenerateDownloadUrlResponse)

Returns a signed URL for downloading deployed function source code. The URL is only valid for a limited period and should be used within minutes after generation. For more information about the signed URL usage see: https://cloud.google.com/storage/docs/access-control/signed-urls

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GenerateUploadUrl

rpc GenerateUploadUrl(GenerateUploadUrlRequest) returns (GenerateUploadUrlResponse)

Returns a signed URL for uploading a function source code. For more information about the signed URL usage see: https://cloud.google.com/storage/docs/access-control/signed-urls. Once the function source code upload is complete, the used signed URL should be provided in CreateFunction or UpdateFunction request as a reference to the function source code.

When uploading source code to the generated signed URL, please follow these restrictions:

  • Source file type should be a zip file.
  • Source file size should not exceed 100MB limit.
  • No credentials should be attached - the signed URLs provide access to the target bucket using internal service identity; if credentials were attached, the identity from the credentials would be used, but that identity does not have permissions to upload files to the URL.

When making a HTTP PUT request, these two headers need to be specified:

  • content-type: application/zip
  • x-goog-content-length-range: 0,104857600

And this header SHOULD NOT be specified:

  • Authorization: Bearer YOUR_TOKEN
Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetFunction

rpc GetFunction(GetFunctionRequest) returns (CloudFunction)

Returns a function with the given name from the requested project.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloudfunctions
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetIamPolicy

rpc GetIamPolicy(GetIamPolicyRequest) returns (Policy)

Gets the IAM access control policy for a function. Returns an empty policy if the function exists and does not have a policy set.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloudfunctions
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListFunctions

rpc ListFunctions(ListFunctionsRequest) returns (ListFunctionsResponse)

Returns a list of functions that belong to the requested project.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloudfunctions
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

SetIamPolicy

rpc SetIamPolicy(SetIamPolicyRequest) returns (Policy)

Sets the IAM access control policy on the specified function. Replaces any existing policy.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

TestIamPermissions

rpc TestIamPermissions(TestIamPermissionsRequest) returns (TestIamPermissionsResponse)

Tests the specified permissions against the IAM access control policy for a function. If the function does not exist, this will return an empty set of permissions, not a NOT_FOUND error.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloudfunctions
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateFunction

rpc UpdateFunction(UpdateFunctionRequest) returns (Operation)

Updates existing function.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CallFunctionRequest

Request for the CallFunction method.

Fields
name

string

Required. The name of the function to be called.

Authorization requires the following IAM permission on the specified resource name:

  • cloudfunctions.functions.call
data

string

Required. Input to be passed to the function.

CallFunctionResponse

Response of CallFunction method.

Fields
execution_id

string

Execution id of function invocation.

result

string

Result populated for successful execution of synchronous function. Will not be populated if function does not return a result through context.

error

string

Either system or user-function generated error. Set if execution was not successful.

CloudFunction

Describes a Cloud Function that contains user computation executed in response to an event. It encapsulate function and triggers configurations.

Fields
name

string

A user-defined name of the function. Function names must be unique globally and match pattern projects/*/locations/*/functions/*

description

string

User-provided description of a function.

status

CloudFunctionStatus

Output only. Status of the function deployment.

entry_point

string

The name of the function (as defined in source code) that will be executed. Defaults to the resource name suffix (ID of the function), if not specified.

runtime

string

The runtime in which to run the function. Required when deploying a new function, optional when updating an existing function. For a complete list of possible choices, see the gcloud command reference.

timeout

Duration

The function execution timeout. Execution is considered failed and can be terminated if the function is not completed at the end of the timeout period. Defaults to 60 seconds.

available_memory_mb

int32

The amount of memory in MB available for a function. Defaults to 256MB.

service_account_email

string

The email of the function's service account. If empty, defaults to {project_id}@appspot.gserviceaccount.com.

update_time

Timestamp

Output only. The last update timestamp of a Cloud Function.

version_id

int64

Output only. The version identifier of the Cloud Function. Each deployment attempt results in a new version of a function being created.

labels

map<string, string>

Labels associated with this Cloud Function.

environment_variables

map<string, string>

Environment variables that shall be available during function execution.

build_environment_variables

map<string, string>

Build environment variables that shall be available during build time.

network
(deprecated)

string

Deprecated: use vpc_connector

max_instances

int32

The limit on the maximum number of function instances that may coexist at a given time.

In some cases, such as rapid traffic surges, Cloud Functions may, for a short period of time, create more instances than the specified max instances limit. If your function cannot tolerate this temporary behavior, you may want to factor in a safety margin and set a lower max instances value than your function can tolerate.

See the Max Instances Guide for more details.

min_instances

int32

A lower bound for the number function instances that may coexist at a given time.

vpc_connector

string

The VPC Network Connector that this cloud function can connect to. It can be either the fully-qualified URI, or the short name of the network connector resource. The format of this field is projects/*/locations/*/connectors/*

This field is mutually exclusive with network field and will eventually replace it.

See the VPC documentation for more information on connecting Cloud projects.

vpc_connector_egress_settings

VpcConnectorEgressSettings

The egress settings for the connector, controlling what traffic is diverted through it.

ingress_settings

IngressSettings

The ingress settings for the function, controlling what traffic can reach it.

kms_key_name

string

Resource name of a KMS crypto key (managed by the user) used to encrypt/decrypt function resources.

It must match the pattern projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}.

If specified, you must also provide an artifact registry repository using the docker_repository field that was created with the same KMS crypto key.

The following service accounts need to be granted the role 'Cloud KMS CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter)' on the Key/KeyRing/Project/Organization (least access preferred).

  1. Google Cloud Functions service account (service-{project_number}@gcf-admin-robot.iam.gserviceaccount.com) - Required to protect the function's image.
  2. Google Storage service account (service-{project_number}@gs-project-accounts.iam.gserviceaccount.com) - Required to protect the function's source code. If this service account does not exist, deploying a function without a KMS key or retrieving the service agent name provisions it. For more information, see https://cloud.google.com/storage/docs/projects#service-agents and https://cloud.google.com/storage/docs/getting-service-agent#gsutil.

Google Cloud Functions delegates access to service agents to protect function resources in internal projects that are not accessible by the end user.

build_worker_pool

string

Name of the Cloud Build Custom Worker Pool that should be used to build the function. The format of this field is projects/{project}/locations/{region}/workerPools/{workerPool} where {project} and {region} are the project id and region respectively where the worker pool is defined and {workerPool} is the short name of the worker pool.

If the project id is not the same as the function, then the Cloud Functions Service Agent (service-<project_number>@gcf-admin-robot.iam.gserviceaccount.com) must be granted the role Cloud Build Custom Workers Builder (roles/cloudbuild.customworkers.builder) in the project.

build_id

string

Output only. The Cloud Build ID of the latest successful deployment of the function.

build_name

string

Output only. The Cloud Build Name of the function deployment. projects/<project-number>/locations/<region>/builds/<build-id>.

secret_environment_variables[]

SecretEnvVar

Secret environment variables configuration.

secret_volumes[]

SecretVolume

Secret volumes configuration.

source_token

string

Input only. An identifier for Firebase function sources. Disclaimer: This field is only supported for Firebase function deployments.

docker_repository

string

User-managed repository created in Artifact Registry to which the function's Docker image will be pushed after it is built by Cloud Build. May optionally be encrypted with a customer-managed encryption key (CMEK). If unspecified and docker_registry is not explicitly set to CONTAINER_REGISTRY, GCF will create and use a default Artifact Registry repository named 'gcf-artifacts' in the region.

It must match the pattern projects/{project}/locations/{location}/repositories/{repository}.

Cross-project repositories are not supported. Cross-location repositories are not supported. Repository format must be 'DOCKER'.

docker_registry

DockerRegistry

Docker Registry to use for this deployment.

If unspecified, it defaults to ARTIFACT_REGISTRY. If docker_repository field is specified, this field should either be left unspecified or set to ARTIFACT_REGISTRY.

build_service_account

string

A service account the user provides for use with Cloud Build. The format of this field is projects/{projectId}/serviceAccounts/{serviceAccountEmail}`.

Union field source_code. The location of the function source code. source_code can be only one of the following:
source_archive_url

string

The Google Cloud Storage URL, starting with gs://, pointing to the zip archive which contains the function.

source_repository

SourceRepository

Beta Feature

The source repository where a function is hosted.

source_upload_url

string

The Google Cloud Storage signed URL used for source uploading, generated by calling [google.cloud.functions.v1.GenerateUploadUrl].

The signature is validated on write methods (Create, Update) The signature is stripped from the Function object on read methods (Get, List)

Union field trigger. An event that triggers the function. trigger can be only one of the following:
https_trigger

HttpsTrigger

An HTTPS endpoint type of source that can be triggered via URL.

event_trigger

EventTrigger

A source that fires events in response to a condition in another service.

Union field runtime_update_policy. This controls when security patches are applied to the runtime environment. runtime_update_policy can be only one of the following:
automatic_update_policy

AutomaticUpdatePolicy

on_deploy_update_policy

OnDeployUpdatePolicy

AutomaticUpdatePolicy

This type has no fields.

Security patches are applied automatically to the runtime without requiring the function to be redeployed.

DockerRegistry

Docker Registry to use for storing function Docker images.

Enums
DOCKER_REGISTRY_UNSPECIFIED Unspecified.
CONTAINER_REGISTRY Docker images will be stored in multi-regional Container Registry repositories named gcf.
ARTIFACT_REGISTRY Docker images will be stored in regional Artifact Registry repositories. By default, GCF will create and use repositories named gcf-artifacts in every region in which a function is deployed. But the repository to use can also be specified by the user using the docker_repository field.

IngressSettings

Available ingress settings.

This controls what traffic can reach the function.

If unspecified, ALLOW_ALL will be used.

Enums
INGRESS_SETTINGS_UNSPECIFIED Unspecified.
ALLOW_ALL Allow HTTP traffic from public and private sources.
ALLOW_INTERNAL_ONLY Allow HTTP traffic from only private VPC sources.
ALLOW_INTERNAL_AND_GCLB Allow HTTP traffic from private VPC sources and through GCLB.

OnDeployUpdatePolicy

Security patches are only applied when a function is redeployed.

Fields
runtime_version

string

Output only. Contains the runtime version which was used during latest function deployment.

VpcConnectorEgressSettings

Available egress settings.

This controls what traffic is diverted through the VPC Access Connector resource. By default PRIVATE_RANGES_ONLY will be used.

Enums
VPC_CONNECTOR_EGRESS_SETTINGS_UNSPECIFIED Unspecified.
PRIVATE_RANGES_ONLY Use the VPC Access Connector only for private IP space from RFC1918.
ALL_TRAFFIC Force the use of VPC Access Connector for all egress traffic from the function.

CloudFunctionStatus

Describes the current stage of a deployment.

Enums
CLOUD_FUNCTION_STATUS_UNSPECIFIED Not specified. Invalid state.
ACTIVE Function has been successfully deployed and is serving.
OFFLINE Function deployment failed and the function isn’t serving.
DEPLOY_IN_PROGRESS Function is being created or updated.
DELETE_IN_PROGRESS Function is being deleted.
UNKNOWN Function deployment failed and the function serving state is undefined. The function should be updated or deleted to move it out of this state.

CreateFunctionRequest

Request for the CreateFunction method.

Fields
location

string

Required. The project and location in which the function should be created, specified in the format projects/*/locations/*

Authorization requires the following IAM permission on the specified resource location:

  • cloudfunctions.functions.create
function

CloudFunction

Required. Function to be created.

DeleteFunctionRequest

Request for the DeleteFunction method.

Fields
name

string

Required. The name of the function which should be deleted.

Authorization requires the following IAM permission on the specified resource name:

  • cloudfunctions.functions.delete

EventTrigger

Describes EventTrigger, used to request events be sent from another service.

Fields
event_type

string

Required. The type of event to observe. For example: providers/cloud.storage/eventTypes/object.change and providers/cloud.pubsub/eventTypes/topic.publish.

Event types match pattern providers/*/eventTypes/*.*. The pattern contains:

  1. namespace: For example, cloud.storage and google.firebase.analytics.
  2. resource type: The type of resource on which event occurs. For example, the Google Cloud Storage API includes the type object.
  3. action: The action that generates the event. For example, action for a Google Cloud Storage Object is 'change'. These parts are lower case.
resource

string

Required. The resource(s) from which to observe events, for example, projects/_/buckets/myBucket.

Not all syntactically correct values are accepted by all services. For example:

  1. The authorization model must support it. Google Cloud Functions only allows EventTriggers to be deployed that observe resources in the same project as the CloudFunction.
  2. The resource type must match the pattern expected for an event_type. For example, an EventTrigger that has an event_type of "google.pubsub.topic.publish" should have a resource that matches Google Cloud Pub/Sub topics.

Additionally, some services may support short names when creating an EventTrigger. These will always be returned in the normalized "long" format.

See each service's documentation for supported formats.

service

string

The hostname of the service that should be observed.

If no string is provided, the default service implementing the API will be used. For example, storage.googleapis.com is the default for all event types in the google.storage namespace.

failure_policy

FailurePolicy

Specifies policy for failed executions.

FailurePolicy

Describes the policy in case of function's execution failure. If empty, then defaults to ignoring failures (i.e. not retrying them).

Fields
Union field action. Defines the action taken in case of a function execution failure. action can be only one of the following:
retry

Retry

If specified, then the function will be retried in case of a failure.

Retry

This type has no fields.

Describes the retry policy in case of function's execution failure. A function execution will be retried on any failure. A failed execution will be retried up to 7 days with an exponential backoff (capped at 10 seconds). Retried execution is charged as any other execution.

GenerateDownloadUrlRequest

Request of GenerateDownloadUrl method.

Fields
name

string

The name of function for which source code Google Cloud Storage signed URL should be generated.

Authorization requires the following IAM permission on the specified resource name:

  • cloudfunctions.functions.sourceCodeGet
version_id

uint64

The optional version of function. If not set, default, current version is used.

GenerateDownloadUrlResponse

Response of GenerateDownloadUrl method.

Fields
download_url

string

The generated Google Cloud Storage signed URL that should be used for function source code download.

GenerateUploadUrlRequest

Request of GenerateSourceUploadUrl method.

Fields
parent

string

The project and location in which the Google Cloud Storage signed URL should be generated, specified in the format projects/*/locations/*.

Authorization requires the following IAM permission on the specified resource parent:

  • cloudfunctions.functions.sourceCodeSet
kms_key_name

string

Resource name of a KMS crypto key (managed by the user) used to encrypt/decrypt function source code objects in intermediate Cloud Storage buckets. When you generate an upload url and upload your source code, it gets copied to an intermediate Cloud Storage bucket. The source code is then copied to a versioned directory in the sources bucket in the consumer project during the function deployment.

It must match the pattern projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}.

The Google Cloud Functions service account (service-{project_number}@gcf-admin-robot.iam.gserviceaccount.com) must be granted the role 'Cloud KMS CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter)' on the Key/KeyRing/Project/Organization (least access preferred). GCF will delegate access to the Google Storage service account in the internal project.

GenerateUploadUrlResponse

Response of GenerateSourceUploadUrl method.

Fields
upload_url

string

The generated Google Cloud Storage signed URL that should be used for a function source code upload. The uploaded file should be a zip archive which contains a function.

GetFunctionRequest

Request for the GetFunction method.

Fields
name

string

Required. The name of the function which details should be obtained.

Authorization requires the following IAM permission on the specified resource name:

  • cloudfunctions.functions.get
version_id

int64

Optional. The optional version of the function whose details should be obtained. The version of a 1st Gen function is an integer that starts from 1 and gets incremented on redeployments. Each deployment creates a config version of the underlying function. GCF may keep historical configs for old versions. This field can be specified to fetch the historical configs. Leave it blank or set to 0 to get the latest version of the function.

HttpsTrigger

Describes HttpsTrigger, could be used to connect web hooks to function.

Fields
url

string

Output only. The deployed url for the function.

security_level

SecurityLevel

The security level for the function.

SecurityLevel

Available security level settings.

This controls the methods to enforce security (HTTPS) on a URL.

If unspecified, SECURE_OPTIONAL will be used.

Enums
SECURITY_LEVEL_UNSPECIFIED Unspecified.
SECURE_ALWAYS Requests for a URL that match this handler that do not use HTTPS are automatically redirected to the HTTPS URL with the same path. Query parameters are reserved for the redirect.
SECURE_OPTIONAL Both HTTP and HTTPS requests with URLs that match the handler succeed without redirects. The application can examine the request to determine which protocol was used and respond accordingly.

ListFunctionsRequest

Request for the ListFunctions method.

Fields
parent

string

The project and location from which the function should be listed, specified in the format projects/*/locations/* If you want to list functions in all locations, use "-" in place of a location. When listing functions in all locations, if one or more location(s) are unreachable, the response will contain functions from all reachable locations along with the names of any unreachable locations.

Authorization requires the following IAM permission on the specified resource parent:

  • cloudfunctions.functions.list
page_size

int32

Maximum number of functions to return per call.

page_token

string

The value returned by the last ListFunctionsResponse; indicates that this is a continuation of a prior ListFunctions call, and that the system should return the next page of data.

ListFunctionsResponse

Response for the ListFunctions method.

Fields
functions[]

CloudFunction

The functions that match the request.

next_page_token

string

If not empty, indicates that there may be more functions that match the request; this value should be passed in a new google.cloud.functions.v1.ListFunctionsRequest to get more functions.

unreachable[]

string

Locations that could not be reached. The response does not include any functions from these locations.

OperationMetadataV1

Metadata describing an Operation

Fields
target

string

Target of the operation - for example projects/project-1/locations/region-1/functions/function-1

type

OperationType

Type of operation.

request

Any

The original request that started the operation.

version_id

int64

Version id of the function created or updated by an API call. This field is only populated for Create and Update operations.

update_time

Timestamp

The last update timestamp of the operation.

build_id

string

The Cloud Build ID of the function created or updated by an API call. This field is only populated for Create and Update operations.

source_token

string

An identifier for Firebase function sources. Disclaimer: This field is only supported for Firebase function deployments.

build_name

string

The Cloud Build Name of the function deployment. This field is only populated for Create and Update operations. projects/<project-number>/locations/<region>/builds/<build-id>.

OperationType

A type of an operation.

Enums
OPERATION_UNSPECIFIED Unknown operation type.
CREATE_FUNCTION Triggered by CreateFunction call
UPDATE_FUNCTION Triggered by UpdateFunction call
DELETE_FUNCTION Triggered by DeleteFunction call.

SecretEnvVar

Configuration for a secret environment variable. It has the information necessary to fetch the secret value from secret manager and expose it as an environment variable.

Fields
key

string

Name of the environment variable.

project_id

string

Project identifier (preferrably project number but can also be the project ID) of the project that contains the secret. If not set, it will be populated with the function's project assuming that the secret exists in the same project as of the function.

secret

string

Name of the secret in secret manager (not the full resource name).

version

string

Version of the secret (version number or the string 'latest'). It is recommended to use a numeric version for secret environment variables as any updates to the secret value is not reflected until new instances start.

SecretVolume

Configuration for a secret volume. It has the information necessary to fetch the secret value from secret manager and make it available as files mounted at the requested paths within the application container. Secret value is not a part of the configuration. Every filesystem read operation performs a lookup in secret manager to retrieve the secret value.

Fields
mount_path

string

The path within the container to mount the secret volume. For example, setting the mount_path as /etc/secrets would mount the secret value files under the /etc/secrets directory. This directory will also be completely shadowed and unavailable to mount any other secrets.

Recommended mount paths: /etc/secrets Restricted mount paths: /cloudsql, /dev/log, /pod, /proc, /var/log

project_id

string

Project identifier (preferrably project number but can also be the project ID) of the project that contains the secret. If not set, it will be populated with the function's project assuming that the secret exists in the same project as of the function.

secret

string

Name of the secret in secret manager (not the full resource name).

versions[]

SecretVersion

List of secret versions to mount for this secret. If empty, the latest version of the secret will be made available in a file named after the secret under the mount point.

SecretVersion

Configuration for a single version.

Fields
version

string

Version of the secret (version number or the string 'latest'). It is preferable to use latest version with secret volumes as secret value changes are reflected immediately.

path

string

Relative path of the file under the mount path where the secret value for this version will be fetched and made available. For example, setting the mount_path as '/etc/secrets' and path as /secret_foo would mount the secret value file at /etc/secrets/secret_foo.

SourceRepository

Describes SourceRepository, used to represent parameters related to source repository where a function is hosted.

Fields
url

string

The URL pointing to the hosted repository where the function is defined. There are supported Cloud Source Repository URLs in the following formats:

To refer to a specific commit: https://source.developers.google.com/projects/*/repos/*/revisions/*/paths/* To refer to a moveable alias (branch): https://source.developers.google.com/projects/*/repos/*/moveable-aliases/*/paths/* In particular, to refer to HEAD use master moveable alias. To refer to a specific fixed alias (tag): https://source.developers.google.com/projects/*/repos/*/fixed-aliases/*/paths/*

You may omit paths/* if you want to use the main directory.

deployed_url

string

Output only. The URL pointing to the hosted repository where the function were defined at the time of deployment. It always points to a specific commit in the format described above.

UpdateFunctionRequest

Request for the UpdateFunction method.

Fields
function

CloudFunction

Required. New version of the function.

Authorization requires the following IAM permission on the specified resource function:

  • cloudfunctions.functions.update
update_mask

FieldMask

Required. The list of fields in CloudFunction that have to be updated.