Managing Access via IAM

You can use Cloud Identity and Access Management (IAM) to control a developer's ability to view, create, update and delete functions. You can also control whether authentication is required to invoke a function. This is achieved by granting roles to different members.

Controlling access on a function

You can control access on a function using IAM by granting or restricting roles to individual users.

Adding users

Console

  1. Go to the Google Cloud Console:

    Go to Google Cloud Console

  2. Click the checkbox next to the function on which you want to grant access.

  3. Click Show Info Panel in the top right corner to show the Permissions tab.

  4. In the Add members field, enter one or more identities that need access to your function.

  5. Select a role (or roles) from the Select a role drop-down menu. The roles you select appear in the pane with a short description of the permissions they grant.

  6. Click Save.

GCloud

Use the gcloud functions add-iam-policy-binding command:

gcloud functions add-iam-policy-binding FUNCTION_NAME \
  --member=MEMBER_TYPE \
  --role=ROLE

where FUNCTION_NAME is the function name, MEMBER_TYPE is the member type, and ROLE is the role.

For a list of acceptable values for MEMBER_TYPE, see the Cloud IAM concepts page. For a list of acceptable values for ROLE, see the Cloud Functions IAM Roles reference page.

Removing users

Console

  1. Go to the Google Cloud Console:

    Go to Google Cloud Console

  2. Click the checkbox next to the function on which you want to restrict access.

  3. Click Show Info Panel in the top right corner to show the Permissions tab.

  4. Search for the user you want to remove, or expand a role the user has.

  5. Click the delete trash can next to the member type within the role to remove the role from the member.

GCloud

Use the gcloud functions remove-iam-policy-binding command:

  gcloud functions remove-iam-policy-binding FUNCTION_NAME \
    --member=MEMBER_TYPE \
    --role=ROLE

where FUNCTION_NAME is the function name, MEMBER_TYPE is the member type, and ROLE is the role.

For a list of acceptable values for MEMBER_TYPE, see the Cloud IAM concepts page. For a list of acceptable values for ROLE, see the Cloud Functions IAM Roles reference page.

Bulk addition or removal of users

Console

  1. Go to the Google Cloud Console:

    Go to Google Cloud Console

  2. Click the checkboxes next to the functions on which you want to grant or restrict access.

  3. Click Show Info Panel in the top right corner to show the Permissions tab.

If you want to add users:

  1. In the Add members field, enter multiple identities that need access to your function.

  2. Select a role (or roles) from the Select a role drop-down menu. The roles you select appear in the pane with a short description of the permissions they grant.

  3. Click Save.

If you want to remove users:

  1. Search for the user you want to remove, or expand a role the user has.

  2. Click the delete trash can next to the member type within the role to remove the role from the member.

GCloud

Create an IAM policy named, for example, policy.json:

{
  "bindings": [
    {
      "role": ROLE,
      "members": [
        MEMBER_TYPE
      ]
    }
  ]
}

Use the gcloud functions set-iam-policy command:

gcloud functions set-iam-policy FUNCTION_NAME policy.json

For a list of acceptable values for MEMBER_TYPE, see the Cloud IAM concepts page. For a list of acceptable values for ROLE, see the Cloud Functions IAM Roles reference page.

Viewing users

Console

  1. Go to the Google Cloud Console:

    Go to Google Cloud Console

  2. Select the function you want to view users and roles.

  3. Click Show Info Panel in the top right corner to show the Permissions tab.

  4. All users will be shown, grouped by role granted.

GCloud

Use the gcloud functions get-iam-policy command:

gcloud functions get-iam-policy FUNCTION_NAME

Controlling access on all functions in a project

If you want to grant roles to members on all functions in a project, you can use project-level IAM.

Allowing unauthenticated function invocation

You can use the approach described above to grant or restrict the ability to invoke a function. This allows you to specify whether a caller must be authenticated in order to invoke a function. This concept only applies to HTTP functions. Background functions can only be invoked by the event source to which they are subscribed.

You can allow unauthenticated invocation of a function after it has been deployed by adding the special allUsers member type to a function and granting it the Cloud Functions Invoker role:

Console

  1. Go to the Google Cloud Console:

    Go to Google Cloud Console

  2. Click the checkbox next to the function on which you want to grant access.

  3. Click Show Info Panel in the top right corner to show the Permissions tab.

  4. Click Add member.

  5. In the New members field, type allUsers.

  6. Select the role Cloud Functions > Cloud Functions Invoker from the Select a role drop-down menu.

  7. Click Save.

GCloud

Use the gcloud functions add-iam-policy-binding command to add the special allUsers member type to a function and grant it the roles/cloudfunctions.invoker role:

gcloud functions add-iam-policy-binding FUNCTION_NAME \
 --member="allUsers" \
 --role="roles/cloudfunctions.invoker"

You can also use the Google Cloud Console to modify these permissions.

The gcloud functions deploy command includes a prompt to help you configure invocation permissions during function creation. It also includes the --allow-unauthenticated flag:

gcloud functions deploy FUNCTION_NAME \
  --trigger-http \
--allow-unauthenticated \
...

You only need to specify the --allow-unauthenticated flag during initial function creation. Subsequent deployments that do not specify the --allow-unauthenticated flag will not modify IAM permissions.

Domain Restricted Sharing

If you are developing functions in a project that is subject to the Domain Restricted Sharing organization policy you will be unable to allow unauthenticated invocation of a function. This policy restricts public data sharing to reduce the risk of data exfiltration.

If you wish to deploy functions that permit unauthenticated invocation, we recommend that you remove the Domain Restricted Sharing organization policy on the project. Organization policies can be set at the organization, folder or project level.

Once you have created your function(s) that allow unauthenticated invocation, the organization policy can be re-enabled:

  • Functions deployed before the organization policy has been re-enabled will continue to allow unauthenticated invocation.
  • New versions of these existing functions can be deployed without requiring authenticated invocation.
  • New functions that permit unauthenticated invocations cannot be deployed.

Next steps

Learn how to securely authenticate developers, functions, and end-users to the functions you just secured.