Function Identity

Runtime service account

During function execution, Cloud Functions uses the service account PROJECT_ID@appspot.gserviceaccount.com as an identity. For instance, when making requests to Google Cloud Platform services using the Google Cloud Client Libraries, Cloud Functions mints tokens based off this identity and places them in the appropriate authentication headers.

Changing default permissions

By default, the runtime service account has the Editor role, which lets it access many Cloud Platform services. While this is the fastest way to develop functions, it's likely too permissive for what your function needs in production, and you'll want to configure it for least privilege access.

Console

  1. Go to the Google Cloud Platform Console:

    Go to Google Cloud Platform Console

  2. Select the Runtime Service Account (PROJECT_ID@appspot.gserviceaccount.com) from the table.

  3. Click the pencil on the right side of the row to show the Edit permissions tab.

  4. Add or remove roles in the role dropdown to provide least privilege access.

  5. Click Save.

GCloud

Create an IAM policy:

cat <<EOF > policy.json
{
  "bindings": [
    {
      "role": [ROLE],
      "members": [
        [PROJECT_ID]@appspot.gserviceaccount.com
      ]
    }
  ]
}
EOF

Use the gcloud iam service-accounts set-iam-policy command, replacing [VALUES_IN_BRACKETS] with appropriate values:

gcloud iam service-accounts set-iam-policy \
  [PROJECT_ID]@appspot.gserviceaccount.com \
  policy.json

Per-function identity

If you have multiple functions all accessing different resources, you'll likely want to give each function its own identity. This can be done by deploying the function with a named service account that has the correct role. The service account being deployed must have been created in the same project as the function it is attached to.

Permissions required to use non-default identities

In order to deploy a function with non-default service account, the deployer must have the iam.serviceAccounts.actAs permission on the service account being deployed.

If a user creates a service account, that user is automatically granted this permission; otherwise, a user with the correct permissions must grant the deployer this permission on the service account in order for the user to deploy.

Deploying a new function with a non-default identity

Before you deploy a function with a new identity, make sure that the service account you want to use is already created. If not, learn how to create and manage service accounts.

Console

  1. Go to the Google Cloud Platform Console:

    Go to Google Cloud Platform Console

  2. Configure the function however you would like.

  3. Click More to expand "Advanced options."

  4. Click the Service account dropdown and select the desired service account.

  5. Click Create.

GCloud

When deploying a function using gcloud functions deploy, add the --service-account flag. For example:

gcloud functions deploy FUNCTION_NAME --service-account SERVICE_ACCOUNT_EMAIL

where FUNCTION_NAME is your function name, and SERVICE_ACCOUNT_EMAIL is the service account associated with the new identity.

Updating the identity of an existing function

You can also update existing functions to have a new runtime service account.

Console

  1. Go to the Google Cloud Platform Console:

    Go to Google Cloud Platform Console

  2. Click the name of the desired function to go to it's detail page.

  3. Click the EDIT pencil at the top of the detail page to edit the function.

  4. Click More to expand "Advanced options."

  5. Click the Service account dropdown and select the desired service account.

  6. Click Save.

GCloud

When deploying a function using gcloud functions deploy, add the --service-account flag:

gcloud functions deploy FUNCTION_NAME --service-account SERVICE_ACCOUNT_EMAIL

where FUNCTION_NAME is your function name, and SERVICE_ACCOUNT_EMAIL is the service account associated with the new identity.

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Functions Documentation