Managing Access via IAM

You can use Cloud Identity and Access Management (IAM) to control a developer's ability to view, create, update and delete functions. You can also control whether a function can be invoked by the public or authenticated users and services. This is achieved by granting roles to different members.

Controlling access on an individual function

If you want to control access on a per-function basis, you can use per-function IAM.

Adding users

Console

  1. Go to the Google Cloud Platform Console:

    Go to Google Cloud Platform Console

  2. Select the function you want to add users to.

  3. Click Show Info Panel in the top right corner to show the Permissions tab.

  4. In the Add members field, enter one or more identities that need access to your function.

  5. Select a role (or roles) from the Select a role drop-down menu. The roles you select appear in the pane with a short description of the permissions they grant.

  6. Click Add.

GCloud

Use the gcloud beta functions add-iam-policy-binding command:

gcloud beta functions add-iam-policy-binding FUNCTION_NAME \
  --member=MEMBER_TYPE \
  --role=ROLE

where FUNCTION_NAME is the function name, MEMBER_TYPE is the member type, and ROLE is the role.

For a list of acceptable values for MEMBER_TYPE, see the Cloud IAM concepts page. For a list of acceptable values for ROLE, see the Cloud Functions IAM Roles reference page.

Making a function public

You can grant or restrict the ability to invoke a function. This behavior differs for HTTP functions and background functions:

  • By default, any user or service can invoke an HTTP function. You can configure IAM on HTTP functions to restrict this behavior so that your HTTP function can only be invoked by providing authentication credentials in the request.
  • Background functions can only be invoked by the event source to which they are subscribed.

You can make a function publicly accessible by adding the special allUsers member type to a function and granting it the roles/cloudfunctions.invoker role:

  gcloud beta functions add-iam-policy-binding FUNCTION_NAME \
    --member="allUsers" \
    --role="roles/cloudfunctions.invoker"

This is included in gcloud beta functions deploy with the --allow-unauthenticated flag:

gcloud beta functions deploy FUNCTION_NAME ... --trigger-http --allow-unauthenticated

Subsequent deployments lacking the --allow-unauthenticated flag will not change the IAM policy.

Deploying a background function with the --allow-unauthenticated function will result in an error. Background functions are always private and can't be made public.

Domain Restricted Sharing

If the project is subject to the Domain Restricted Sharing organization policy you will be unable to create public services. We recommend that you create all projects in a folder not subject to this restriction, and remove it on existing projects.

Removing users

Console

  1. Go to the Google Cloud Platform Console:

    Go to Google Cloud Platform Console

  2. Select the function you want to remove users from.

  3. Click Show Info Panel in the top right corner to show the Permissions tab.

  4. Search for the user you want to remove, or expand a role the user has.

  5. Click the delete trash can next to the member type within the role to remove the role from the member.

GCloud

Use the gcloud beta functions remove-iam-policy-binding command:

  gcloud beta functions remove-iam-policy-binding FUNCTION_NAME \
    --member=MEMBER_TYPE \
    --role=ROLE

where FUNCTION_NAME is the function name, MEMBER_TYPE is the member type, and ROLE is the role.

For a list of acceptable values for MEMBER_TYPE, see the Cloud IAM concepts page. For a list of acceptable values for ROLE, see the Cloud Functions IAM Roles reference page.

Bulk addition or removal of users

Console

  1. Go to the Google Cloud Platform Console:

    Go to Google Cloud Platform Console

  2. Select the function you want to add users to or remove users from.

  3. Click Show Info Panel in the top right corner to show the Permissions tab.

If you want to add users:

  1. In the Add members field, enter multiple identities that need access to your function.

  2. Select a role (or roles) from the Select a role drop-down menu. The roles you select appear in the pane with a short description of the permissions they grant.

  3. Click Add.

If you want to remove users:

  1. Search for the user you want to remove, or expand a role the user has.

  2. Click the delete trash can next to the member type within the role to remove the role from the member.

GCloud

Create an IAM policy

cat <<EOF > policy.json
{
  "bindings": [
    {
      "role": ROLE,
      "members": [
        MEMBER_TYPE
      ]
    }
  ]
}
EOF

Use the gcloud beta functions set-iam-policy command:

gcloud beta functions set-iam-policy FUNCTION_NAME policy.json

For a list of acceptable values for MEMBER_TYPE, see the Cloud IAM concepts page. For a list of acceptable values for ROLE, see the Cloud Functions IAM Roles reference page.

Viewing users

Console

  1. Go to the Google Cloud Platform Console:

    Go to Google Cloud Platform Console

  2. Select the function you want to view users and roles.

  3. Click Show Info Panel in the top right corner to show the Permissions tab.

  4. All users will be shown, grouped by role granted.

GCloud

Use the gcloud beta functions get-iam-policy command:

gcloud beta functions get-iam-policy FUNCTION_NAME

Controlling access on all functions in a project

If you want to grant roles to members on all functions in a project, you can use project-level IAM.

Next steps

Learn how to securely authenticate developers, functions, and end-users to the functions you just secured.

Var denne siden nyttig? Si fra hva du synes:

Send tilbakemelding om ...

Cloud Functions Documentation