(gcloud.functions.deploy) permission denied when deploying function with specific service account

Question

I'm trying to deploy Google Cloud Functions using a different service account. I have the service account properties saved to a json file. I swapped out the values to make it easier to read.

export GOOGLE_APPLICATION_CREDENTIALS="/path/to/keys/mynewserviceaccount.json"

gcloud functions deploy MyFunction \
--runtime python37 \
--entry-point MyFunction \
--source src \
--service-account mynewserviceaccount@appspot.gserviceaccount.com \
--verbosity debug \
--stage-bucket staging.projectname.appspot.com \
--trigger-event providers/cloud.firestore/eventTypes/document.write \
--trigger-resource "projects/projectname/databases/(default)/documents/User/{userId}" &

mynewserviceaccount has the following roles. I've tried a few others and haven't had success. - Cloud Functions Admin - Cloud Functions Service Agent - Errors Writer - Service Account User - Logs Writer - Pub/Sub Subscriber

I've also ran gcloud auth activate-service-account mynewserviceaccount@appspot.gserviceaccount.com --key-file "/path/to/keys/mynewserviceaccount.json"

When I run this, I get: ERROR: (gcloud.functions.deploy) ResponseError: status=[403], code=[Forbidden], message=[The caller does not have permission]

When I try to find "gcloud.functions.deploy" in the Roles list, I don't see it. I don't know if this is an issue with documentation or an issue with the code.

Answer 1

if this was when running gcloud builds submit command, the most likely reason is Cloud Functions Developer role not being enabled for the Cloud Build service.

1. Navigate to Cloud Build > Settings
2. Enable Cloud Functions Developer role

Answer 2

The Docs on cloud functions states that if you want to deploy a function with a service account you have to do an extra step.

You must assign the user the IAM Service Account User role (roles/iam.serviceAccountUser) on the Cloud Functions Runtime service account.