CODEWITHSUNDEEP
google-cloud-platformgoogle-cloud-functionsgoogle-deployment-manager
Valerii Bosiak
Valerii Bosiak

Reputation: 53

How to set IAM policy to Cloud Function with Deployment Manager

I want to deploy a Cloud Function with a specific IAM policy by Deployment Manager. My deployment.yml:

resources:
  - type: gcp-types/cloudfunctions-v1:projects.locations.functions
    name: test-function
    properties:
      parent: projects/test-project/locations/europe-west3
      function: test-function
      entryPoint: functions.KotlinHelloWorld
      timeout: 30s
      availableMemoryMb: 256
      runtime: java11
      location: europe-west3
      sourceArchiveUrl: gs://source-bucket/kotlin-function.zip
      httpsTrigger:
        url: https://europe-west3-test-project.cloudfunctions.net/test-function
      environmentVariables:
        BUCKET: function-results
        RESULT_FILE: dates.txt
    accessControl:
      gcpIamPolicy:
        bindings:
          - role: roles/cloudfunctions.invoker
            members:
              - allUsers

It works without accessControl block. But in case above I get an error:

user@pc-003:~/Develop/kotlin-function$ gcloud deployment-manager deployments update learning --config deployment.yml
The fingerprint of the deployment is 6MAQlDoq73-O_QDwSCD7uA==
Waiting for update [operation-1593088111352-5a8e7baf9192b-7d149199-82e96170]...failed.                                                                                                                                                 
ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1593088111352-5a8e7baf9192b-7d149199-82e96170]: errors:
- code: RESOURCE_ERROR
  location: /deployments/learning/resources/test-function
  message: '{"ResourceType":"gcp-types/cloudfunctions-v1:projects.locations.functions","ResourceErrorCode":"404","ResourceErrorMessage":{"statusMessage":"Not
    Found","requestPath":"https://cloudfunctions.googleapis.com/v1/:setIamPolicy","httpMethod":"POST"}}'

Upvotes: 4

Views: 1613

Answers (1)

Smerk
Smerk

Reputation: 186

That's a problem with deployment manager and cloud functions API. You can read more about it here: https://github.com/GoogleCloudPlatform/deploymentmanager-samples/issues/494

As a workaround you can define IAM policy for function as separate resource:

  - name: [BINDING_NAME]
    type: gcp-types/cloudfunctions-v1:virtual.projects.locations.functions.iamMemberBinding
    properties:
      resource: projects/[PROJECT_NAME]/locations/[LOCATION]/functions/[FUNCTION_NAME]
      role: roles/cloudfunctions.invoker
      member: allUsers

For this to work you need to give Google APIs Service Agent permissions to edit IAM policies. Cloud Functions Admin is a role that has all needed permissions in this case

Upvotes: 5

Related Questions