Function Identity

Runtime service account

Just as other entities need access to Cloud Functions to interact with it, functions themselves often need access to other resources in Google Cloud to do their work. By default Cloud Functions uses the App Engine default service account - PROJECT_ID@appspot.gserviceaccount.com - as its identity for function execution.

But the App Engine service account has the Editor role, which lets it access many GCP services. While this is the fastest way to develop functions, it's likely too permissive for what your function needs in production, and you'll want to configure it for least privilege access.

There are two approaches to doing this:

Changing permissions on the App Engine default service account

Console

  1. Go to the Google Cloud Console:

    Go to Google Cloud Console

  2. Select the App Engine default Service Account (PROJECT_ID@appspot.gserviceaccount.com) from the table.

  3. Click the pencil on the right side of the row to show the Edit permissions tab.

  4. Add or remove roles in the role dropdown to provide least privilege access.

  5. Click Save.

GCloud

Remove the Editor role, then use the gcloud projects add-iam-policy-binding command to add a new role:

# Remove the Editor role
gcloud projects remove-iam-policy-binding PROJECT_ID \
  --member="PROJECT_ID@appspot.gserviceaccount.com"
  --role="roles/editor"

# Add the desired role
gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="PROJECT_ID@appspot.gserviceaccount.com"
  --role="ROLE"

Where PROJECT_ID is the project ID of the project you're using and ROLE is the new role to assign to the runtime service account.

Using individual service accounts for your functions

To give you greater flexibility in controlling access for your functions, you can give them each their own service account, a non-default identity.

  • Create the service account. It must be in the same project as the function it is attached to. Make a note of the service account's name.
  • Grant it the appropriate roles, based on what resources the function needs to access to do its work.
  • Add the service account to the resource as a member. The method for doing this depends on the resource you need to access.
  • Connect the service account with the function. You can do this either at deployment time or by updating a previously deployed function.

Adding a non-default service account at deployment

Console

  1. Go to the Google Cloud Console:

    Go to Google Cloud Console

  2. Specify and configure the function however you would like.

  3. Click Runtime, build and connections settings to display additional settings.

  4. Select the Runtime tab.

  5. Click the Service account dropdown and select the desired service account.

  6. Click Next and Create.

GCloud

When deploying a function using gcloud functions deploy, add the --service-account flag. For example:

gcloud functions deploy FUNCTION_NAME --service-account SERVICE_ACCOUNT_EMAIL

where FUNCTION_NAME is your function name, and SERVICE_ACCOUNT_EMAIL is the service account email.

Updating the service account of an existing function

You can also update existing functions to have a new runtime service account.

Console

  1. Go to the Google Cloud Console:

    Go to Google Cloud Console

  2. Click the name of the desired function to go to its detail page.

  3. Click the EDIT pencil at the top of the detail page to edit the function.

  4. Click Runtime, build and connections settings to display additional settings.

  5. Select the Runtime tab.

  6. Click the Service account dropdown and select the desired service account.

  7. Click Next and Deploy.

GCloud

When deploying a function using gcloud functions deploy, add the --service-account flag:

gcloud functions deploy FUNCTION_NAME --service-account SERVICE_ACCOUNT_EMAIL

where FUNCTION_NAME is your function name, and SERVICE_ACCOUNT_EMAIL is the service account .