Runtime service account
Just as other entities need access to Cloud Functions to interact with
it, functions themselves often need access to other resources in Google Cloud to
do their work. By default Cloud Functions uses the App Engine default service account
- PROJECT_ID@appspot.gserviceaccount.com
- as its identity for
function execution.
But the App Engine service account has the Editor role, which lets it access many GCP services. While this is the fastest way to develop functions, it's likely too permissive for what your function needs in production, and you'll want to configure it for least privilege access.
There are two approaches to doing this:
- Change permissions on the App Engine default service account
- Create individual service accounts for your functions
Changing permissions on the App Engine default service account
Console
Go to the Google Cloud Console:
Select the App Engine default Service Account (
PROJECT_ID@appspot.gserviceaccount.com
) from the table.Click the pencil on the right side of the row to show the Edit permissions tab.
Add or remove roles in the role dropdown to provide least privilege access.
Click Save.
GCloud
Remove the Editor role, then use the
gcloud projects add-iam-policy-binding
command to add a new role:
# Remove the Editor role gcloud projects remove-iam-policy-binding PROJECT_ID \ --member="PROJECT_ID@appspot.gserviceaccount.com" --role="roles/editor" # Add the desired role gcloud projects add-iam-policy-binding PROJECT_ID \ --member="PROJECT_ID@appspot.gserviceaccount.com" --role="ROLE"
Where PROJECT_ID is the project ID of the project you're using and ROLE is the new role to assign to the runtime service account.
Using individual service accounts for your functions
To give you greater flexibility in controlling access for your functions, you can give them each their own service account, a non-default identity.
- Create the service account. It must be in the same project as the function it is attached to. Make a note of the service account's name.
- Grant it the appropriate roles, based on what resources the function needs to access to do its work.
- Add the service account to the resource as a member. The method for doing this depends on the resource you need to access.
- Connect the service account with the function. You can do this either at deployment time or by updating a previously deployed function.
Adding a non-default service account at deployment
Console
Go to the Google Cloud Console:
Specify and configure the function however you would like.
Click Runtime, build and connections settings to display additional settings.
Select the Runtime tab.
Click the Service account dropdown and select the desired service account.
Click Next and Create.
GCloud
When deploying a function using gcloud functions deploy
, add the
--service-account
flag. For example:
gcloud functions deploy FUNCTION_NAME --service-account SERVICE_ACCOUNT_EMAIL
where FUNCTION_NAME
is your function name, and
SERVICE_ACCOUNT_EMAIL
is the service account
email.
Updating the service account of an existing function
You can also update existing functions to have a new runtime service account.
Console
Go to the Google Cloud Console:
Click the name of the desired function to go to its detail page.
Click the EDIT pencil at the top of the detail page to edit the function.
Click Runtime, build and connections settings to display additional settings.
Select the Runtime tab.
Click the Service account dropdown and select the desired service account.
Click Next and Deploy.
GCloud
When deploying a function using gcloud functions deploy
, add the
--service-account
flag:
gcloud functions deploy FUNCTION_NAME --service-account SERVICE_ACCOUNT_EMAIL
where FUNCTION_NAME
is your function name, and
SERVICE_ACCOUNT_EMAIL
is the service account
.