CODEWITHSUNDEEP
javagoogle-cloud-platformdeploymentgoogle-cloud-functionsservice-accounts
Renee
Renee

Reputation: 321

How to deploy gcloud function by setting service account as permission?

I want to deploy a Google cloud function. This cloud function needs to have service account as cloud function invoker. To set allUsers as permission, we use --allow-unauthenticated flag.

This is the command I am using for deploying:

gcloud functions deploy functionTemp --entry-point functions.FunctionTemp --runtime java11 --trigger-http --memory 512MB --source=FunctionTemp

As mentioned adding --allow-unauthenticated adds allUsers as cloud invoker permission. If I want to sery default service account as cloud invoker and not allUsers, how do I change the command? I am not able to find proper solution for it

I tried service-account flag but that's not used for the purpose I am using it and also if we are using default service account, we don't even have to specify this flag.

We can set the permission for this cloud function in the api service pages but I want to do it manually. I am stuck here. Any help would be appreciated.

Upvotes: 0

Views: 1544

Answers (2)

al-dann
al-dann

Reputation: 2725

Not sure I understand your question, but from the best of my guesses of your concerns...

You might like to check the gcloud functions deploy CLI description here: gcloud functions deploy

In particular the parameter --run-service-account (for gen2 cloud functions) and --service-account (for the original cloud functions), which defines under which service account (and its IAM roles) the given cloud function is to be executed. Thus, what the code of the given cloud function is permitted to do with other APIs. The description is here: --run-service-account and --service-account

You also might like to decide what IAM roles should that service account have so that the cloud function can achieve what it is supposed to do, but won't get too wide permissions to avoid unnecessary security risks. And assign/manage the relevant roles to the service account independently from the cloud function deployment.

The details can be found at the Function Identity section of the documentation.

However, all of the above has nothing to do with who and how triggers the cloud function. Not sure if you are interested in that area.

In case of gen2 cloud functions the CLI parameter might be --trigger-service-account with the description here: --trigger-service-account

If your use case is different and more complex, you might like to describe it in more details, so the requirements are clearly articulated.

Upvotes: 0

guillaume blaquiere
guillaume blaquiere

Reputation: 75940

In fact, there is no parameter for that. The GCLOUD CLI offers convenient feature but, as usual, nothing is magic!

Have a try yourself. Perform your command with the --allow-unauthenticated flag and add the flag --log-http. This flag will display all the API calls performed by the CLI.

And you will see that the CLI perform the function deployment AND another calls to grant the allUsers as Functions Invoker.

Because of that, if you want to grant Function Invoker another account than allUsers you have to perform yourself this additional operation.

Use gcloud functions add-iam-policy-binding --member=... or the new one gcloud functions add-invoker-policy-binding --member=... (same as before, but you haven't the role to mention)

If you want to use the API it's a bit difficult. In fact, there is no API call to ADD a policy. Only a get and a set.

Therefore, you need to GET all the policies on the Cloud Functions, add "manually" (programmatically) the account with its role in the JSON, and then POST (set) the whole JSON with the new policy.

It's exactly what the CLI do, if you have a closer look to the --log-http trace.

Upvotes: 0

Related Questions