Authorizing Access to Cloud Functions via IAM

You use Identity and Access Management (IAM) to authorize identities to perform administrative actions on your functions, like creating, updating, and deleting them. You add members (the identities you wish to enable, usually a user or service account email) to the function and then grant those members the appropriate IAM roles. These roles include permissions that define the actions they are allowed to do.

Enabling access to a function

You can control actions on a function by granting or restricting roles to individual identities through IAM.

Adding members and granting roles

Console

  1. Go to the Google Cloud Console:

    Go to Google Cloud Console

  2. Click the checkbox next to the function in which you are interested.

  3. Click Permissions at the top of the screen. The Permissions panel opens.

  4. Click Add member.

  5. In the New members field, enter one or more identities that need access to your function. This is usually a user or service account email.

  6. Select a role (or roles) from the Select a role drop-down menu. The roles you select appear in the pane with a short description of the permissions they grant.

  7. Click Save.

GCloud

Use the gcloud functions add-iam-policy-binding command:

gcloud functions add-iam-policy-binding FUNCTION_NAME \
  --member=MEMBER_ID \
  --role=ROLE

where FUNCTION_NAME is the function name, MEMBER_ID is the member identity, usually an email, and ROLE is the role.

For a list of sources that can provide a MEMBER_ID, see the IAM concepts page. For a list of acceptable values for ROLE, see the Cloud Functions IAM Roles reference page.

Removing roles from members

Console

  1. Go to the Google Cloud Console:

    Go to Google Cloud Console

  2. Click the checkbox next to the function in which you are interested.

  3. Click Permissions at the top of the screen. The Permissions panel opens.

  4. Search for the member you want to remove. Look in every role the member has been granted.

  5. When you find the member in the role you wish to delete, click the trash can icon next to it. If you wish to completely remove the member, do this for every role the member has been granted.

GCloud

Use the gcloud functions remove-iam-policy-binding command:

  gcloud functions remove-iam-policy-binding FUNCTION_NAME \
    --member=MEMBER_ID \
    --role=ROLE

where FUNCTION_NAME is the function name, MEMBER_ID is the service account member identity, prefaced with serviceAccount:, and ROLE is the role.

For a list of acceptable sources for MEMBER_ID, see the IAM concepts page. For a list of possible values for ROLE, see the Cloud Functions IAM Roles reference page.

If the member has been granted multiple roles, make sure you specify the one you wish to remove.

Bulk addition or removal of members

Console

  1. Go to the Google Cloud Console:

    Go to Google Cloud Console

  2. Click the checkboxes next to the functions on which you want to grant or restrict access.

  3. Click Permissions at the top of the screen. The Permissions panel opens.

If you want to add members:

  1. Click Add member.

  2. In the New members , enter multiple identities that need access to your function.

  3. Select a role (or roles) from the Select a role drop-down menu. The roles you select appear in the pane with a short description of the permissions they grant.

  4. Click Save.

If you want to remove members:

  1. Search for the member you want to remove, or expand a role the member has.

  2. When you find the member you wish to delete, click the trash can icon next to it. If you wish to completely remove the member, do this for every role the member has been granted.

GCloud

Create an IAM policy named, for example, policy.json:

{
  "bindings": [
    {
      "role": ROLE,
      "members": [
        MEMBER_ID
      ]
    }
  ]
}

Use the gcloud functions set-iam-policy command:

gcloud functions set-iam-policy FUNCTION_NAME policy.json

For a list of acceptable sources for MEMBER_ID, see the IAM concepts page. For a list of acceptable values for ROLE, see the Cloud Functions IAM Roles reference page.

Viewing members

Console

  1. Go to the Google Cloud Console:

    Go to Google Cloud Console

  2. Click the name of the function you are interested in.

  3. Select the Permissions tab. The Permissions panel opens.

  4. Make sure the Members tab is selected.

GCloud

Use the gcloud functions get-iam-policy command:

gcloud functions get-iam-policy FUNCTION_NAME

Allowing unauthenticated HTTP function invocation

As of January 15, 2020, all HTTP functions by default require most invokers to be authenticated. To allow unauthenticated invocation you must specify this at or after deployment.

You use a special variant of the approach described above to grant unauthenticated invokers the ability to invoke an HTTP function.

At deployment

Console

Select Allow unauthenticated invocations in the Authentication section on the Configuration panel.

GCloud

The gcloud functions deploy command includes a prompt to help you configure invocation permissions during function creation. It also includes the --allow-unauthenticated flag:

gcloud functions deploy FUNCTION_NAME \
  --trigger-http \
--allow-unauthenticated \
...

Subsequent deployments of the same function do not change its status, even if you do not use this flag.

After deployment

To allow unauthenticated invocation of a function, you add the special allUsers member id to the function and grant it the Cloud Functions Invoker role:

Console

  1. Go to the Google Cloud Console:

    Go to Google Cloud Console

  2. Click the checkbox next to the function to which you want to grant access.

  3. Click Permissions at the top of the screen. The Permissions panel opens.

  4. Click Add member.

  5. In the New members field, type allUsers.

  6. Select the role Cloud Functions > Cloud Functions Invoker from the Select a role drop-down menu.

  7. Click Save.

GCloud

Use the gcloud functions add-iam-policy-binding command to add the special allUsers member id to a function and grant it the roles/cloudfunctions.invoker role:

gcloud functions add-iam-policy-binding FUNCTION_NAME \
 --member="allUsers" \
 --role="roles/cloudfunctions.invoker"

Domain Restricted Sharing

If you are developing functions in a project that is subject to the Domain Restricted Sharing organization policy you will be unable to allow unauthenticated invocation of a function. This policy restricts public data sharing to reduce the risk of data exfiltration.

If you wish to deploy functions that permit unauthenticated invocation, we recommend that you remove the Domain Restricted Sharing organization policy on the project. Organization policies can be set at the organization, folder or project level.

Once you have created your function(s) that allow unauthenticated invocation, the organization policy can be re-enabled:

  • Functions deployed before the organization policy has been re-enabled will continue to allow unauthenticated invocation.
  • New versions of these existing functions can be deployed without requiring authenticated invocation.
  • New functions that permit unauthenticated invocations cannot be deployed.

Controlling access on all functions in a project

If you want to grant roles to members on all functions in a project, you can use project-level IAM.