Securing Cloud Functions

This page provides a high-level overview of the ways you can control interactions using your Cloud Functions resources.

Access control

There are two approaches to controlling access for Cloud Functions:

Securing access with identity

One way to control access for Cloud Functions is by:

  • Evaluating credentials that the entity presents to ensure that it is who it says it is (Authentication).
  • Allowing that entity to access your resources based on what permissions that identity has been granted (Authorization).

Cloud Functions supports two types of authentication and authorization, Identity and Access Management (IAM) and OAuth 2.0.

Using Identity and Access Management

IAM is the most commonly used kind of access control in Cloud Functions. It works with two types of identities:

  • Service accounts: These are special accounts that serve as the identity of a non-person, like a function or an application or a VM. They give you a way to authenticate these non-persons and to grant them permission to do something, like call an API.
  • User accounts: These accounts represent people - either as individual Google account holders or as part of a Google-controlled entity like a Google Group.

During setup, you associate the requesting identity with the resource you wish to give it access to - you make the requesting identity a member of the resource - and then assign it the appropriate role. The role defines what permissions the identity has in the context of the resource. For more information on how this process is setup, see Authorizing Access via IAM.

Using OAuth 2.0

OAuth 2.0 is an open standard for authorization. It can be used in situations where using IAM is not possible or, in some cases, appropriate. See Best practices for using and managing service accounts for more information on choosing between the two methods.

Using Google Cloud Console you create an OAuth 2.0 client ID (and in some cases, a client secret) for your client application, which serves as the credential.

The client application sends this credential to the Google Authorization Server, which provides an access token. This token allows access to the resource. Permissions are based on a value called a scope, rather than a role, as in IAM.

Network-based access control

You can also limit access by specifying network settings for individual functions. This allows for fine-tuned control over the network ingress and egress to and from your functions.

Isolation and sandboxing

Internally, function instances are isolated from each other using the gVisor sandboxing platform. By design, a function cannot access other functions' operating environments.