To simplify searches and improve your documentation experience, we're splitting the 1st gen and 2nd gen documentation into separate sets.

Custom Service Account for Cloud Build

Overview

Cloud Functions leverages Cloud Build when building and deploying your Cloud Function. By default, Cloud Functions uses the default Cloud Build service account as the principal when performing your build. This document describes how to pass in a user-created service account, to be used by Cloud Build, when deploying your function.

You can deploy functions with custom service accounts using the Google Cloud CLI, Google Cloud console, or the Cloud Functions API.

Here are some scenarios where you may want to provide a different service account to be used when Cloud Build builds your function:

You want more control of which service accounts to add to your VPC-SC perimeter.
You want Cloud Build to run with different permissions than what the default service account has without having to revoke each permission individually.
You want to set granular Cloud Build permissions specifically for your functions, not share a Cloud Build service account that is optimized for other purposes.

Enable APIs

This feature requires the IAM API to be enabled.

Use the Google Cloud CLI to enable the APIs needed to deploy a Cloud Function, or use Google Cloud console:

gcloud services enable iam.googleapis.com

Configure Service Account

This document describes how to create a new service account and grant the required permissions. If you want to use an existing service account, you need the email address of the service account you plan to use. See configuring user-specified service accounts for details.

You can view your existing service accounts as follows, or use Google Cloud console:

gcloud iam service-accounts list

Create Service Account

Use the Google Cloud CLI to create your service account or use Google Cloud console:

gcloud iam service-accounts create SA_EMAIL

Replace SA_EMAIL with the email address of your service account.

Grant Permissions

The service account you use will need the following roles:

roles/iam.serviceAccountUser— This role is not required on the service account, but the user that deploys the function needs this role.
roles/logging.logWriter— Required to store build logs in Cloud Logging.
roles/artifactregistry.writer— Required to store build images in Artifact Registry.
roles/storage.objectAdmin— Required to retrieve the function source from the Cloud Storage bucket, and to store build images in Container Registry.

Grant the following roles using the Google Cloud CLI, or use Google Cloud console.

gcloud projects add-iam-policy-binding SA_PROJECT_ID \
--member=user:DEPLOYING_USER_EMAIL \
--role=roles/iam.serviceAccountUser

gcloud projects add-iam-policy-binding PROJECT_ID \
--member=serviceAccount:SA_EMAIL \
    --role=roles/logging.logWriter

gcloud projects add-iam-policy-binding PROJECT_ID \
--member=serviceAccount:SA_EMAIL \
--role=roles/artifactregistry.writer

gcloud projects add-iam-policy-binding PROJECT_ID \
--member=serviceAccount:SA_EMAIL \
--role=roles/storage.objectAdmin

Replace the following:

PROJECT_ID: Your Google Cloud project ID.
SA_EMAIL: The email address of your service account.
SA_PROJECT_ID: The project ID of your service account.
DEPLOYING_USER_EMAIL: The email address of the user deploying the function.

Deploy a function with a custom service account

You can use the Google Cloud CLI to deploy a function that uses a custom service account for Cloud Build:

The --build-service-account flag specifies an IAM service account whose credentials will be used for the build step. If a custom service account is not provided, the function uses the project's default service account for Cloud Build.
You can optionally use a private pool, which you specify using the --build-worker-pool flag.


gcloud beta functions deploy FUNCTION_NAME \
   --gen2 \
   --region=REGION \
   --project=PROJECT_ID \
   --runtime=RUNTIME \
   --entry-point=CODE_ENTRYPOINT \
   --build-service-account=projects/PROJECT_ID/serviceAccounts/SA_EMAIL \
   --memory=256Mi \
   --trigger-http \
   --source=.

Replace the following:

FUNCTION_NAME: The name under which you deployed your function.
REGION: The name of the Google Cloud region where you want to deploy your function (for example, us-west1).
PROJECT_ID: Your Google Cloud project ID.
RUNTIME: The runtime ID of a supported runtime version to run your function, for example, nodejs18.
CODE_ENTRYPOINT: The entry point to your function in your source code. This is the code that will be executed when your function runs.
SA_EMAIL: The email address of your service account.