Access control with IAM (original) (raw)
Stay organized with collections Save and categorize content based on your preferences.
This page provides supplemental information for using Identity and Access Management (IAM) roles to set access controls at a project level, to determine the level of access to your Google Cloud project and functions created usinggcloud functions commands or theCloud Functions v2 API.
If you've created or deployed functions using Cloud Run, seeAccess control with IAMand Cloud Run roles for a detailed description of Cloud Run predefined roles, controlling access to individual services, making a service public, or configuring organization policy for the Cloud Run invoker IAM.
Access control for users
Add users as team members to your project and grant them roles usingIAM.
Cloud Run functions supports the following roles:
- Cloud Run predefined roles (recommended)
- Cloud Functions predefined roles
- Basic roles of Editor, Owner, and Viewer.
Access control for service accounts
Aservice account is a special type of Google Cloud account that acts as an identity for a non-human user that needs to authenticate and be authorized to access data and perform various actions. Some of these accounts arecreated and managed by Google itselfand are known asservice agents.
The following service accounts are used for Cloud Run functions:
| Name | Member ID | Role |
|---|---|---|
| Compute Engine default service account | PROJECT_NUMBER-compute@developer.gserviceaccount.com | Editor |
| Google Cloud Functions Service Agent | service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com | Google Cloud Functions Service Agent |
| Legacy Cloud Build service account1 | PROJECT_NUMBER@cloudbuild.gserviceaccount.com | Cloud Build Service Account |
| Cloud Build Service Account | service-PROJECT_NUMBER@gcp-sa-cloudbuild.iam.gserviceaccount.com | Cloud Build Service Agent |
| Google Container Registry Service Agent | service-PROJECT_NUMBER@containerregistry.iam.gserviceaccount.com | Container Registry Service Agent |
| Artifact Registry Service Agent | service-PROJECT_NUMBER@gcp-sa-artifactregistry.iam.gserviceaccount.com | Artifact Registry Service Agent |
Runtime service accounts
At runtime, Cloud Run functions defaults to using the Compute Engine default service account (PROJECT_NUMBER-compute@developer.gserviceaccount.com), which also has the Editor role on the project. You can change the roles of these service accounts to limit or extend the permissions for your running functions. You can also change which service account is used byavoiding the default service account when configuring service identity.
To learn more about service accounts, see theservice accounts documentation.
Administrative service accounts
To perform administrative actions on your project during the creation, updating, or deletion of functions, all projects in Cloud Run functions require the Google Cloud Functions Service Agent service account (service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com).
In addition, all runtimes carry out container image building and storage within your project. To support this, you also need to provision the following:
- The legacy Cloud Build service account1 (
PROJECT_NUMBER@cloudbuild.gserviceaccount.com) - The Cloud Build Service Agent service account (
service-PROJECT_NUMBER@gcp-sa-cloudbuild.iam.gserviceaccount.com) - The Google Container Registry Service Agent service account (
service-PROJECT_NUMBER@containerregistry.iam.gserviceaccount.com)
These service accounts should have the roles listed in the earliertable.
Google Cloud Functions Service Agent service account
By default, the Google Cloud Functions Service Agent service account (service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com has the cloudfunctions.serviceAgent role on your project.
Here's a few of the notable permissions that the cloudfunctions.serviceAgentuses:
| Permission | Description |
|---|---|
| roles/artifactregistry.admin | Manage repositories and store build images in Artifact Registry. |
| roles/cloudbuild.builds.editor | Required to use Cloud Build to perform builds in user project. |
| roles/cloudbuild.customworkers.builder | Create builds in Cloud Build custom workers. |
| compute.globalOperations.get,compute.networks.access,vpcaccess.connectors.{get, use} | Provision functions with access to the consumer projects VPC. |
| roles/eventarc.developer | Manage Eventarc triggers for functions. |
| firebasedatabase.instances.{get, update} | Create functions triggered by the Firebase Realtime Database. |
| iam.serviceAccounts.{actAs, getAccessToken, signBlob} | Ability to get runtime service account credentials. |
| iam.serviceAccounts.getOpenIdToken | Needed for the agent to get an OpenID token on a user-specified authority. OpenID token is used for invoking IAM-enabled functions. |
| pubsub.subscriptions | Manage subscriptions in the user's project. |
| pubsub.topics | Manage topics in the user's project. |
| roles/run.developer | Manage the Cloud Run Service for functions. |
| storage.buckets.create,storage.objects.{delete, get, create, list} | Required for storing source code in user project. |
You can see the entire set of permissions under the predefined IAM rolesor by running this command:
gcloud iam roles describe roles/cloudfunctions.serviceAgent
Reset this service account to the default role by removing whatever role it has and adding the Cloud Functions Service Agent role:
gcloud projects add-iam-policy-binding PROJECT_ID
--member serviceAccount:service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com
--role roles/cloudfunctions.serviceAgent
Troubleshooting permission errors
If you get permission errors when you deploy, update, delete, or execute functions in your project, perform the following steps:
- Make sure that you have the Editor or Owner role on your project, or that you are using the Cloud Functions Developer role.
If you are using the Cloud Functions Developer role at the project level, also ensure that you havegranted the user the IAM Service Account User role.
Currently, only execution permissions are allowed at the per-function level. - Verify that the Cloud Functions Service Agent service account (
service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com) has theCloud Functions Service Agent(cloudfunctions.serviceAgent) role for your project.
Make sure the Include Google-provided role grants box on thePermissions tab of the Console IAM page is checked to see this account. Or you can usegcloud projects add-iam-policy-binding PROJECT_ID. - Ensure that you have permissions for trigger sources, such asPub/Sub orCloud Storage.
If you get an ”insufficient permissions” error, or have other authentication problems when you run your functions, make sure that the runtime service account has the correct permissions to access the resources your functions need. Then, repeat steps 2 and 3.
If you get a ”service unavailable” error during deployment, make sure that the runtime service account PROJECT_ID@appspot.gserviceaccount.comexists in your project. To recreate this service account if it was deleted, seeUndeleting a service account.
See also Troubleshoot Cloud Run functions.
1 Cloud Run functions only uses thelegacy Cloud Build service accountfor projects created before July 2024.