You can secure Cloud Functions with identity-based or network-based access control.
With identity-based access control, access is granted on a per-function basis via Cloud Identity and Access Management (Cloud IAM). This allows for control over two sets of actions:
Developer operations: creating, updating, and deleting functions, as well as managing access to functions.
Function invocation: causing a function to be executed.
Functions also have their own identity, which is used when calling Google Cloud services or other functions. The permissions associated with this identity can be restricted in order to give functions least privilege access.
With network-based access control, access is controlled by specifying network settings for individual functions. This allows for more control over the network ingress and egress to and from your functions.
Securing Google Cloud Functions
-
Managing access via Cloud IAM
Learn how to manage developer, function, and end-user access to your functions with identity-based access control.
-
Authenticating to functions
Learn how to authenticate developers, functions, and end-users to your functions.
-
Understanding function identity
Learn about what identity your function runs as and how to configure it.
-
Using VPC Service Controls
Learn how to use VPC Service Controls with Cloud Functions to mitigate data exfiltration risks using network-based access control.