Cloud Functions has been renamed to Cloud Run functions. For more information, see the Cloud Run functions blog post.

Authorize access with IAM

You use Identity and Access Management (IAM) to authorize identities to perform administrative actions on functions created using the Cloud Functions v2 API—for example, using gcloud functions, the REST API, or Terraform. Administration actions include creating, updating, and deleting functions. For information about IAM access for functions created with Cloud Run, see Access control with IAM.

In IAM, you grant principals (the identities you want to enable, usually a user or service account email) the appropriate IAM roles on the function or project. These roles include permissions that define the actions the principal is allowed to do.

Before you begin

To get the permission that you need to control access for a specific function or all functions in a project, ask your administrator to grant you the Cloud Run functions Admin (roles/roles/cloudfunctions.admin) IAM role on the function or the project. For more information about granting roles, see Manage access to projects, folders, and organizations.

This predefined role contains the cloudfunctions.functions.setIamPolicy permission, which is required to control access for a specific function or all functions in a project.

You might also be able to get this permission with custom roles or other predefined roles.

See Cloud Run functions IAM roles for the full list of Cloud Run functions roles and their associated permissions.

Enabling access to a function

You can control actions on a function by granting or restricting roles to individual identities through IAM.

Adding principals and granting roles

Use the gcloud functions add-iam-policy-binding command:

gcloud functions add-iam-policy-binding FUNCTION_NAME \
  --member=PRINCIPAL_ID \
  --role=ROLE

where FUNCTION_NAME is the function name, PRINCIPAL_ID is the principal's identifier, usually an email, and ROLE is the role.

For a list of sources that can provide a PRINCIPAL_ID, see the IAM concepts page. For a list of acceptable values for ROLE, see the Cloud Run functions IAM Roles reference page.

Removing roles from principals

Use the gcloud functions remove-iam-policy-binding command:

gcloud functions remove-iam-policy-binding FUNCTION_NAME \
  --member=PRINCIPAL_ID \
  --role=ROLE

where FUNCTION_NAME is the function name, PRINCIPAL_ID is the email address that identifies the service account, prefaced with serviceAccount:, and ROLE is the role.

For a list of acceptable sources for PRINCIPAL_ID, see the IAM concepts page. For a list of possible values for ROLE, see the Cloud Run functions IAM Roles reference page.

If the principal has been granted multiple roles, make sure you specify the one you want to remove.

Bulk addition of principals

Create an IAM policy named, for example, policy.json:

  {
    "bindings": [
      {
        "role": ROLE,
        "members": [
        PRINCIPAL_ID
        ]
      }
    ]
  }

Use the gcloud functions set-iam-policy command:

gcloud functions set-iam-policy FUNCTION_NAME policy.json

For a list of acceptable sources for PRINCIPAL_ID, see the IAM concepts page. For a list of acceptable values for ROLE, see the Cloud Run functions IAM Roles reference page.

Viewing principals

To view principals, use the gcloud functions get-iam-policy command:

gcloud functions get-iam-policy FUNCTION_NAME

Allowing unauthenticated HTTP function invocation

As of January 15, 2020, HTTP functions without Allow unauthenticated invocations enabled restrict access to end users and service accounts that don't have appropriate permissions.

To allow unauthenticated invocations you must specify this at or after deployment.

You use a special variant of the approach described earlier to grant unauthenticated invokers the ability to invoke an HTTP function.

At deployment

The gcloud functions deploy command includes a prompt to help you configure invocation permissions during function creation. It can also include the --allow-unauthenticated flag:

gcloud functions deploy FUNCTION_NAME \
  --trigger-http \
  --allow-unauthenticated \
  ...

Subsequent deployments of the same function don't change its status, even if you don't use this flag.

After deployment

Use the gcloud run services add-iam-policy-binding command to grant the roles/run.invoker role to the specific function:

gcloud run services add-iam-policy-binding FUNCTION_NAME \
  --member="allUsers"\
  --role="roles/run.invoker"

See the gcloud run add-iam-policy-binding reference for more information about these fields.

Domain Restricted Sharing

If you are developing functions in a project that is subject to the Domain Restricted Sharing organization policy you will be unable to allow unauthenticated invocation of a function. This policy restricts public data sharing to reduce the risk of data exfiltration.

If you want to deploy functions that permit unauthenticated invocation, we recommend that you remove the Domain Restricted Sharing organization policy on the project. Organization policies can be set at the organization, folder or project level.

Once you have created your function(s) that allow unauthenticated invocation, the organization policy can be re-enabled:

Functions deployed before the organization policy has been re-enabled will continue to allow unauthenticated invocation.
New versions of these existing functions can be deployed without requiring authenticated invocation.
New functions that permit unauthenticated invocations cannot be deployed.