I'm trying to deploy a function to Google Function running as a different service account other than the default "PROJECT_ID"@appspot.gserviceaccount.com. Is this even possible? What I've tried until now is: Auth as the service account and run the deploy command Auth as the service account and run the deploy command using "--account" The functions keep getting deployed with the default serviceAccount. Thanks EDIT (2019/02/13): As stated by @JJC, This is now available via gcloud beta features via: gcloud beta functions deploy ... --service-account=$YOUR_SA_HERE EDIT (2023/07/06): As stated by @TinyTiger this is now GA: see the response here

google-cloud-platformgoogle-cloud-functionsservice-accounts

Reputation: 702

Google Function service account

I'm trying to deploy a function to Google Function running as a different service account other than the default "PROJECT_ID"@appspot.gserviceaccount.com.

Is this even possible?

What I've tried until now is:

Auth as the service account and run the deploy command
Auth as the service account and run the deploy command using "--account"

The functions keep getting deployed with the default serviceAccount.

Thanks

EDIT (2019/02/13):

As stated by @JJC, This is now available via gcloud beta features via:

gcloud beta functions deploy ... --service-account=$YOUR_SA_HERE

EDIT (2023/07/06): As stated by @TinyTiger this is now GA: see the response here

Upvotes: 8

Answers (5)

kwick

Reputation: 797

And from the UI, you can choose the Service Account from here:

Upvotes: 0

TinyTiger

Reputation: 2101

2023 UPDATE:

It can be done like this:

gcloud functions deploy FUNCTION_NAME --service-account=SERVICE_ACCOUNT_EMAIL

Read more in the offical docs.

Also note you can use = in-between if you want. Both styles work. For example, both of these will work...

With = works:

gcloud functions deploy FUNCTION_NAME --service-account=SERVICE_ACCOUNT_EMAIL

Without = also works:

gcloud functions deploy FUNCTION_NAME --service-account SERVICE_ACCOUNT_EMAIL

Upvotes: 5

JJC

Reputation: 10033

This is now available via gcloud beta features:

gcloud beta functions deploy ... --service-account=$YOUR_SA_HERE

Upvotes: 7

Ville

Reputation: 1335

Update Oct 2018

This is available now via gcloud alpha sdk, i.e

gcloud alpha functions deploy --service-account=SERVICE_ACCOUNT

The email address of the IAM service account associated with the function at runtime. The service account represents the identity of the running function, and determines what permissions the function has. If not provided, the function will use the project's default service account.

A note: It's probably necessary to sign up for the alpha in order to use. When I try it (not having signed up for alpha), it deploys without error, but seems to ignore the new flag and use the default service account.

The good news is that it is coming, hopefully it will hit beta soon.

For anyone that may be interested, here is a link to a great use case with example code -- basic solution to secure secrets in your cloud functions: Secrets in Serverless | Seth Vargo

Upvotes: 2

Massimo

Reputation: 702

Found the answer on the Google issue tracker: https://issuetracker.google.com/issues/63801748

It's a feature that is still not available at the moment.

Upvotes: 1

Google Function service account

Answers (5)

2023 UPDATE:

Update Oct 2018

Related Questions