Console
    Contact Us Start free

    Cloud Functions IAM Roles

    Predefined roles

    The following table describes Identity and Access Management (IAM) roles that are associated with Cloud Run functions (formerly known as Cloud Functions), and lists the permissions that are contained in each role.

    Roles can be granted to users on an entire project or on individual functions. Read Managing Access via IAM to learn more.

    Cloud Functions roles

    Role
    Permissions

    ( roles/ cloudfunctions.admin )

    Full access to functions, operations and locations.

    artifactregistry. attachments. get

    artifactregistry. attachments. list

    artifactregistry. dockerimages.*

    • artifactregistry. dockerimages. get
    • artifactregistry. dockerimages. list

    artifactregistry. files. download

    artifactregistry.files.get

    artifactregistry.files.list

    artifactregistry.locations.*

    • artifactregistry.locations.get
    • artifactregistry. locations. list

    artifactregistry. mavenartifacts.*

    • artifactregistry. mavenartifacts. get
    • artifactregistry. mavenartifacts. list

    artifactregistry.npmpackages.*

    • artifactregistry. npmpackages. get
    • artifactregistry. npmpackages. list

    artifactregistry.packages.get

    artifactregistry.packages.list

    artifactregistry. projectsettings. get

    artifactregistry. pythonpackages.*

    • artifactregistry. pythonpackages. get
    • artifactregistry. pythonpackages. list

    artifactregistry. repositories. downloadArtifacts

    artifactregistry. repositories. get

    artifactregistry. repositories. list

    artifactregistry. repositories. listEffectiveTags

    artifactregistry. repositories. listTagBindings

    artifactregistry. repositories. readViaVirtualRepository

    artifactregistry.rules.get

    artifactregistry.rules.list

    artifactregistry.tags.get

    artifactregistry.tags.list

    artifactregistry.versions.get

    artifactregistry.versions.list

    cloudasset. assets. searchAllResources

    cloudbuild.builds.get

    cloudbuild.builds.list

    cloudbuild.locations.*

    • cloudbuild.locations.get
    • cloudbuild.locations.list

    cloudbuild.operations.*

    • cloudbuild.operations.get
    • cloudbuild.operations.list

    cloudfunctions.*

    • cloudfunctions.functions.call
    • cloudfunctions. functions. create
    • cloudfunctions. functions. delete
    • cloudfunctions. functions. generationUpgrade
    • cloudfunctions.functions.get
    • cloudfunctions. functions. getIamPolicy
    • cloudfunctions. functions. invoke
    • cloudfunctions.functions.list
    • cloudfunctions. functions. setIamPolicy
    • cloudfunctions. functions. sourceCodeGet
    • cloudfunctions. functions. sourceCodeSet
    • cloudfunctions. functions. update
    • cloudfunctions.locations.list
    • cloudfunctions.operations.get
    • cloudfunctions.operations.list

    eventarc.*

    • eventarc. channelConnections. create
    • eventarc. channelConnections. delete
    • eventarc. channelConnections. get
    • eventarc. channelConnections. getIamPolicy
    • eventarc. channelConnections. list
    • eventarc. channelConnections. publish
    • eventarc. channelConnections. setIamPolicy
    • eventarc.channels.attach
    • eventarc.channels.create
    • eventarc.channels.delete
    • eventarc.channels.get
    • eventarc.channels.getIamPolicy
    • eventarc.channels.list
    • eventarc.channels.publish
    • eventarc.channels.setIamPolicy
    • eventarc.channels.undelete
    • eventarc.channels.update
    • eventarc.enrollments.create
    • eventarc.enrollments.delete
    • eventarc.enrollments.get
    • eventarc. enrollments. getIamPolicy
    • eventarc.enrollments.list
    • eventarc. enrollments. setIamPolicy
    • eventarc.enrollments.update
    • eventarc. events. receiveAuditLogWritten
    • eventarc.events.receiveEvent
    • eventarc. googleApiSources. create
    • eventarc. googleApiSources. delete
    • eventarc.googleApiSources.get
    • eventarc. googleApiSources. getIamPolicy
    • eventarc.googleApiSources.list
    • eventarc. googleApiSources. setIamPolicy
    • eventarc. googleApiSources. update
    • eventarc. googleChannelConfigs. get
    • eventarc. googleChannelConfigs. update
    • eventarc.kafkaSources.create
    • eventarc.kafkaSources.delete
    • eventarc.kafkaSources.get
    • eventarc. kafkaSources. getIamPolicy
    • eventarc.kafkaSources.list
    • eventarc. kafkaSources. setIamPolicy
    • eventarc.locations.get
    • eventarc.locations.list
    • eventarc.messageBuses.create
    • eventarc.messageBuses.delete
    • eventarc.messageBuses.get
    • eventarc. messageBuses. getIamPolicy
    • eventarc.messageBuses.list
    • eventarc.messageBuses.publish
    • eventarc. messageBuses. setIamPolicy
    • eventarc.messageBuses.update
    • eventarc.messageBuses.use
    • eventarc. multiProjectSources. collectGoogleApiEvents
    • eventarc.operations.cancel
    • eventarc.operations.delete
    • eventarc.operations.get
    • eventarc.operations.list
    • eventarc.pipelines.create
    • eventarc.pipelines.delete
    • eventarc.pipelines.get
    • eventarc. pipelines. getIamPolicy
    • eventarc.pipelines.list
    • eventarc. pipelines. setIamPolicy
    • eventarc.pipelines.update
    • eventarc.providers.get
    • eventarc.providers.list
    • eventarc.triggers.create
    • eventarc.triggers.delete
    • eventarc.triggers.get
    • eventarc.triggers.getIamPolicy
    • eventarc.triggers.list
    • eventarc.triggers.setIamPolicy
    • eventarc.triggers.undelete
    • eventarc.triggers.update

    recommender. cloudFunctionsPerformanceInsights.*

    • recommender. cloudFunctionsPerformanceInsights. get
    • recommender. cloudFunctionsPerformanceInsights. list
    • recommender. cloudFunctionsPerformanceInsights. update

    recommender. cloudFunctionsPerformanceRecommendations.*

    • recommender. cloudFunctionsPerformanceRecommendations. get
    • recommender. cloudFunctionsPerformanceRecommendations. list
    • recommender. cloudFunctionsPerformanceRecommendations. update

    recommender.locations.*

    • recommender.locations.get
    • recommender.locations.list

    recommender. runServiceCostInsights.*

    • recommender. runServiceCostInsights. get
    • recommender. runServiceCostInsights. list
    • recommender. runServiceCostInsights. update

    recommender. runServiceCostRecommendations.*

    • recommender. runServiceCostRecommendations. get
    • recommender. runServiceCostRecommendations. list
    • recommender. runServiceCostRecommendations. update

    recommender. runServiceIdentityInsights.*

    • recommender. runServiceIdentityInsights. get
    • recommender. runServiceIdentityInsights. list
    • recommender. runServiceIdentityInsights. update

    recommender. runServiceIdentityRecommendations.*

    • recommender. runServiceIdentityRecommendations. get
    • recommender. runServiceIdentityRecommendations. list
    • recommender. runServiceIdentityRecommendations. update

    recommender. runServicePerformanceInsights.*

    • recommender. runServicePerformanceInsights. get
    • recommender. runServicePerformanceInsights. list
    • recommender. runServicePerformanceInsights. update

    recommender. runServicePerformanceRecommendations.*

    • recommender. runServicePerformanceRecommendations. get
    • recommender. runServicePerformanceRecommendations. list
    • recommender. runServicePerformanceRecommendations. update

    recommender. runServiceSecurityInsights.*

    • recommender. runServiceSecurityInsights. get
    • recommender. runServiceSecurityInsights. list
    • recommender. runServiceSecurityInsights. update

    recommender. runServiceSecurityRecommendations.*

    • recommender. runServiceSecurityRecommendations. get
    • recommender. runServiceSecurityRecommendations. list
    • recommender. runServiceSecurityRecommendations. update

    remotebuildexecution.blobs.get

    resourcemanager.projects.get

    resourcemanager. projects. getIamPolicy

    resourcemanager.projects.list

    run.*

    • run.configurations.get
    • run.configurations.list
    • run.executions.cancel
    • run.executions.delete
    • run.executions.get
    • run.executions.list
    • run.jobs.create
    • run.jobs.createTagBinding
    • run.jobs.delete
    • run.jobs.deleteTagBinding
    • run.jobs.get
    • run.jobs.getIamPolicy
    • run.jobs.list
    • run.jobs.listEffectiveTags
    • run.jobs.listTagBindings
    • run.jobs.run
    • run.jobs.runWithOverrides
    • run.jobs.setIamPolicy
    • run.jobs.update
    • run.locations.list
    • run.operations.delete
    • run.operations.get
    • run.operations.list
    • run.revisions.delete
    • run.revisions.get
    • run.revisions.list
    • run.routes.get
    • run.routes.invoke
    • run.routes.list
    • run.services.create
    • run.services.createTagBinding
    • run.services.delete
    • run.services.deleteTagBinding
    • run.services.get
    • run.services.getIamPolicy
    • run.services.list
    • run.services.listEffectiveTags
    • run.services.listTagBindings
    • run.services.setIamPolicy
    • run.services.update
    • run.tasks.get
    • run.tasks.list
    • run.workerpools.create
    • run.workerpools.delete
    • run.workerpools.get
    • run.workerpools.getIamPolicy
    • run.workerpools.list
    • run.workerpools.setIamPolicy
    • run.workerpools.update

    serviceusage.quotas.get

    serviceusage.services.get

    serviceusage.services.list

    ( roles/ cloudfunctions.developer )

    Read and write access to all functions-related resources.

    artifactregistry. attachments. get

    artifactregistry. attachments. list

    artifactregistry. dockerimages.*

    • artifactregistry. dockerimages. get
    • artifactregistry. dockerimages. list

    artifactregistry. files. download

    artifactregistry.files.get

    artifactregistry.files.list

    artifactregistry.locations.*

    • artifactregistry.locations.get
    • artifactregistry. locations. list

    artifactregistry. mavenartifacts.*

    • artifactregistry. mavenartifacts. get
    • artifactregistry. mavenartifacts. list

    artifactregistry.npmpackages.*

    • artifactregistry. npmpackages. get
    • artifactregistry. npmpackages. list

    artifactregistry.packages.get

    artifactregistry.packages.list

    artifactregistry. projectsettings. get

    artifactregistry. pythonpackages.*

    • artifactregistry. pythonpackages. get
    • artifactregistry. pythonpackages. list

    artifactregistry. repositories. downloadArtifacts

    artifactregistry. repositories. get

    artifactregistry. repositories. list

    artifactregistry. repositories. listEffectiveTags

    artifactregistry. repositories. listTagBindings

    artifactregistry. repositories. readViaVirtualRepository

    artifactregistry.rules.get

    artifactregistry.rules.list

    artifactregistry.tags.get

    artifactregistry.tags.list

    artifactregistry.versions.get

    artifactregistry.versions.list

    cloudasset. assets. searchAllResources

    cloudbuild.builds.get

    cloudbuild.builds.list

    cloudbuild.locations.*

    • cloudbuild.locations.get
    • cloudbuild.locations.list

    cloudbuild.operations.*

    • cloudbuild.operations.get
    • cloudbuild.operations.list

    cloudfunctions.functions.call

    cloudfunctions. functions. create

    cloudfunctions. functions. delete

    cloudfunctions. functions. generationUpgrade

    cloudfunctions.functions.get

    cloudfunctions. functions. invoke

    cloudfunctions.functions.list

    cloudfunctions. functions. sourceCodeGet

    cloudfunctions. functions. sourceCodeSet

    cloudfunctions. functions. update

    cloudfunctions.locations.list

    cloudfunctions.operations.*

    • cloudfunctions.operations.get
    • cloudfunctions.operations.list

    eventarc. channelConnections. create

    eventarc. channelConnections. delete

    eventarc. channelConnections. get

    eventarc. channelConnections. getIamPolicy

    eventarc. channelConnections. list

    eventarc. channelConnections. publish

    eventarc.channels.attach

    eventarc.channels.create

    eventarc.channels.delete

    eventarc.channels.get

    eventarc.channels.getIamPolicy

    eventarc.channels.list

    eventarc.channels.publish

    eventarc.channels.undelete

    eventarc.channels.update

    eventarc.enrollments.create

    eventarc.enrollments.delete

    eventarc.enrollments.get

    eventarc. enrollments. getIamPolicy

    eventarc.enrollments.list

    eventarc.enrollments.update

    eventarc. googleApiSources. create

    eventarc. googleApiSources. delete

    eventarc.googleApiSources.get

    eventarc. googleApiSources. getIamPolicy

    eventarc.googleApiSources.list

    eventarc. googleApiSources. update

    eventarc. googleChannelConfigs.*

    • eventarc. googleChannelConfigs. get
    • eventarc. googleChannelConfigs. update

    eventarc.kafkaSources.create

    eventarc.kafkaSources.delete

    eventarc.kafkaSources.get

    eventarc. kafkaSources. getIamPolicy

    eventarc.kafkaSources.list

    eventarc.locations.*

    • eventarc.locations.get
    • eventarc.locations.list

    eventarc.operations.*

    • eventarc.operations.cancel
    • eventarc.operations.delete
    • eventarc.operations.get
    • eventarc.operations.list

    eventarc.pipelines.create

    eventarc.pipelines.delete

    eventarc.pipelines.get

    eventarc. pipelines. getIamPolicy

    eventarc.pipelines.list

    eventarc.pipelines.update

    eventarc.providers.*

    • eventarc.providers.get
    • eventarc.providers.list

    eventarc.triggers.create

    eventarc.triggers.delete

    eventarc.triggers.get

    eventarc.triggers.getIamPolicy

    eventarc.triggers.list

    eventarc.triggers.undelete

    eventarc.triggers.update

    recommender. cloudFunctionsPerformanceInsights.*

    • recommender. cloudFunctionsPerformanceInsights. get
    • recommender. cloudFunctionsPerformanceInsights. list
    • recommender. cloudFunctionsPerformanceInsights. update

    recommender. cloudFunctionsPerformanceRecommendations.*

    • recommender. cloudFunctionsPerformanceRecommendations. get
    • recommender. cloudFunctionsPerformanceRecommendations. list
    • recommender. cloudFunctionsPerformanceRecommendations. update

    recommender.locations.*

    • recommender.locations.get
    • recommender.locations.list

    recommender. runServiceCostInsights.*

    • recommender. runServiceCostInsights. get
    • recommender. runServiceCostInsights. list
    • recommender. runServiceCostInsights. update

    recommender. runServiceCostRecommendations.*

    • recommender. runServiceCostRecommendations. get
    • recommender. runServiceCostRecommendations. list
    • recommender. runServiceCostRecommendations. update

    recommender. runServiceIdentityInsights.*

    • recommender. runServiceIdentityInsights. get
    • recommender. runServiceIdentityInsights. list
    • recommender. runServiceIdentityInsights. update

    recommender. runServiceIdentityRecommendations.*

    • recommender. runServiceIdentityRecommendations. get
    • recommender. runServiceIdentityRecommendations. list
    • recommender. runServiceIdentityRecommendations. update

    recommender. runServicePerformanceInsights.*

    • recommender. runServicePerformanceInsights. get
    • recommender. runServicePerformanceInsights. list
    • recommender. runServicePerformanceInsights. update

    recommender. runServicePerformanceRecommendations.*

    • recommender. runServicePerformanceRecommendations. get
    • recommender. runServicePerformanceRecommendations. list
    • recommender. runServicePerformanceRecommendations. update

    recommender. runServiceSecurityInsights.*

    • recommender. runServiceSecurityInsights. get
    • recommender. runServiceSecurityInsights. list
    • recommender. runServiceSecurityInsights. update

    recommender. runServiceSecurityRecommendations.*

    • recommender. runServiceSecurityRecommendations. get
    • recommender. runServiceSecurityRecommendations. list
    • recommender. runServiceSecurityRecommendations. update

    remotebuildexecution.blobs.get

    resourcemanager.projects.get

    resourcemanager.projects.list

    run.configurations.*

    • run.configurations.get
    • run.configurations.list

    run.executions.*

    • run.executions.cancel
    • run.executions.delete
    • run.executions.get
    • run.executions.list

    run.jobs.create

    run.jobs.delete

    run.jobs.get

    run.jobs.getIamPolicy

    run.jobs.list

    run.jobs.listEffectiveTags

    run.jobs.listTagBindings

    run.jobs.run

    run.jobs.runWithOverrides

    run.jobs.update

    run.locations.list

    run.operations.*

    • run.operations.delete
    • run.operations.get
    • run.operations.list

    run.revisions.*

    • run.revisions.delete
    • run.revisions.get
    • run.revisions.list

    run.routes.*

    • run.routes.get
    • run.routes.invoke
    • run.routes.list

    run.services.create

    run.services.delete

    run.services.get

    run.services.getIamPolicy

    run.services.list

    run.services.listEffectiveTags

    run.services.listTagBindings

    run.services.update

    run.tasks.*

    • run.tasks.get
    • run.tasks.list

    run.workerpools.create

    run.workerpools.delete

    run.workerpools.get

    run.workerpools.getIamPolicy

    run.workerpools.list

    run.workerpools.update

    serviceusage.quotas.get

    serviceusage.services.get

    serviceusage.services.list

    ( roles/ cloudfunctions.invoker )

    Ability to invoke 1st gen HTTP functions with restricted access. 2nd gen functions need the Cloud Run Invoker role instead.

    cloudfunctions. functions. invoke

    ( roles/ cloudfunctions.serviceAgent )

    Gives Cloud Functions service account access to managed resources.

    artifactregistry. aptartifacts. create

    artifactregistry.attachments.*

    • artifactregistry. attachments. create
    • artifactregistry. attachments. delete
    • artifactregistry. attachments. get
    • artifactregistry. attachments. list

    artifactregistry. dockerimages.*

    • artifactregistry. dockerimages. get
    • artifactregistry. dockerimages. list

    artifactregistry.files.*

    • artifactregistry.files.delete
    • artifactregistry. files. download
    • artifactregistry.files.get
    • artifactregistry.files.list
    • artifactregistry.files.update
    • artifactregistry.files.upload

    artifactregistry. kfpartifacts. create

    artifactregistry.locations.*

    • artifactregistry.locations.get
    • artifactregistry. locations. list

    artifactregistry. mavenartifacts.*

    • artifactregistry. mavenartifacts. get
    • artifactregistry. mavenartifacts. list

    artifactregistry.npmpackages.*

    • artifactregistry. npmpackages. get
    • artifactregistry. npmpackages. list

    artifactregistry.packages.*

    • artifactregistry. packages. delete
    • artifactregistry.packages.get
    • artifactregistry.packages.list
    • artifactregistry. packages. update

    artifactregistry. projectsettings.*

    • artifactregistry. projectsettings. get
    • artifactregistry. projectsettings. update

    artifactregistry. pythonpackages.*

    • artifactregistry. pythonpackages. get
    • artifactregistry. pythonpackages. list

    artifactregistry. repositories. create

    artifactregistry. repositories. createTagBinding

    artifactregistry. repositories. delete

    artifactregistry. repositories. deleteArtifacts

    artifactregistry. repositories. deleteTagBinding

    artifactregistry. repositories. downloadArtifacts

    artifactregistry. repositories. get

    artifactregistry. repositories. getIamPolicy

    artifactregistry. repositories. list

    artifactregistry. repositories. listEffectiveTags

    artifactregistry. repositories. listTagBindings

    artifactregistry. repositories. readViaVirtualRepository

    artifactregistry. repositories. setIamPolicy

    artifactregistry. repositories. update

    artifactregistry. repositories. uploadArtifacts

    artifactregistry.rules.*

    • artifactregistry.rules.create
    • artifactregistry.rules.delete
    • artifactregistry.rules.get
    • artifactregistry.rules.list
    • artifactregistry.rules.update

    artifactregistry.tags.*

    • artifactregistry.tags.create
    • artifactregistry.tags.delete
    • artifactregistry.tags.get
    • artifactregistry.tags.list
    • artifactregistry.tags.update

    artifactregistry.versions.*

    • artifactregistry. versions. delete
    • artifactregistry.versions.get
    • artifactregistry.versions.list
    • artifactregistry. versions. update

    artifactregistry. yumartifacts. create

    clientauthconfig.clients.list

    cloudbuild.builds.create

    cloudbuild.builds.get

    cloudbuild.builds.list

    cloudbuild.builds.update

    cloudbuild.locations.*

    • cloudbuild.locations.get
    • cloudbuild.locations.list

    cloudbuild.operations.*

    • cloudbuild.operations.get
    • cloudbuild.operations.list

    cloudbuild.workerpools.use

    cloudfunctions.functions.get

    cloudfunctions. functions. invoke

    cloudfunctions.functions.list

    cloudfunctions.operations.*

    • cloudfunctions.operations.get
    • cloudfunctions.operations.list

    compute.globalOperations.get

    compute.networks.access

    eventarc. channelConnections. create

    eventarc. channelConnections. delete

    eventarc. channelConnections. get

    eventarc. channelConnections. getIamPolicy

    eventarc. channelConnections. list

    eventarc. channelConnections. publish

    eventarc.channels.attach

    eventarc.channels.create

    eventarc.channels.delete

    eventarc.channels.get

    eventarc.channels.getIamPolicy

    eventarc.channels.list

    eventarc.channels.publish

    eventarc.channels.undelete

    eventarc.channels.update

    eventarc.enrollments.create

    eventarc.enrollments.delete

    eventarc.enrollments.get

    eventarc. enrollments. getIamPolicy

    eventarc.enrollments.list

    eventarc.enrollments.update

    eventarc. googleApiSources. create

    eventarc. googleApiSources. delete

    eventarc.googleApiSources.get

    eventarc. googleApiSources. getIamPolicy

    eventarc.googleApiSources.list

    eventarc. googleApiSources. update

    eventarc. googleChannelConfigs.*

    • eventarc. googleChannelConfigs. get
    • eventarc. googleChannelConfigs. update

    eventarc.kafkaSources.create

    eventarc.kafkaSources.delete

    eventarc.kafkaSources.get

    eventarc. kafkaSources. getIamPolicy

    eventarc.kafkaSources.list

    eventarc.locations.*

    • eventarc.locations.get
    • eventarc.locations.list

    eventarc.operations.*

    • eventarc.operations.cancel
    • eventarc.operations.delete
    • eventarc.operations.get
    • eventarc.operations.list

    eventarc.pipelines.create

    eventarc.pipelines.delete

    eventarc.pipelines.get

    eventarc. pipelines. getIamPolicy

    eventarc.pipelines.list

    eventarc.pipelines.update

    eventarc.providers.*

    • eventarc.providers.get
    • eventarc.providers.list

    eventarc.triggers.create

    eventarc.triggers.delete

    eventarc.triggers.get

    eventarc.triggers.getIamPolicy

    eventarc.triggers.list

    eventarc.triggers.undelete

    eventarc.triggers.update

    firebasedatabase.instances.get

    firebasedatabase. instances. update

    iam.serviceAccounts.actAs

    iam. serviceAccounts. getAccessToken

    iam. serviceAccounts. getOpenIdToken

    iam.serviceAccounts.signBlob

    pubsub.subscriptions.*

    • pubsub.subscriptions.consume
    • pubsub.subscriptions.create
    • pubsub.subscriptions.delete
    • pubsub.subscriptions.get
    • pubsub. subscriptions. getIamPolicy
    • pubsub.subscriptions.list
    • pubsub. subscriptions. setIamPolicy
    • pubsub.subscriptions.update

    pubsub. topics. attachSubscription

    pubsub.topics.create

    pubsub.topics.get

    pubsub.topics.list

    recommender.locations.*

    • recommender.locations.get
    • recommender.locations.list

    recommender. runServiceCostInsights.*

    • recommender. runServiceCostInsights. get
    • recommender. runServiceCostInsights. list
    • recommender. runServiceCostInsights. update

    recommender. runServiceCostRecommendations.*

    • recommender. runServiceCostRecommendations. get
    • recommender. runServiceCostRecommendations. list
    • recommender. runServiceCostRecommendations. update

    recommender. runServiceIdentityInsights.*

    • recommender. runServiceIdentityInsights. get
    • recommender. runServiceIdentityInsights. list
    • recommender. runServiceIdentityInsights. update

    recommender. runServiceIdentityRecommendations.*

    • recommender. runServiceIdentityRecommendations. get
    • recommender. runServiceIdentityRecommendations. list
    • recommender. runServiceIdentityRecommendations. update

    recommender. runServicePerformanceInsights.*

    • recommender. runServicePerformanceInsights. get
    • recommender. runServicePerformanceInsights. list
    • recommender. runServicePerformanceInsights. update

    recommender. runServicePerformanceRecommendations.*

    • recommender. runServicePerformanceRecommendations. get
    • recommender. runServicePerformanceRecommendations. list
    • recommender. runServicePerformanceRecommendations. update

    recommender. runServiceSecurityInsights.*

    • recommender. runServiceSecurityInsights. get
    • recommender. runServiceSecurityInsights. list
    • recommender. runServiceSecurityInsights. update

    recommender. runServiceSecurityRecommendations.*

    • recommender. runServiceSecurityRecommendations. get
    • recommender. runServiceSecurityRecommendations. list
    • recommender. runServiceSecurityRecommendations. update

    remotebuildexecution.blobs.get

    resourcemanager.projects.get

    resourcemanager. projects. getIamPolicy

    resourcemanager.projects.list

    run.configurations.*

    • run.configurations.get
    • run.configurations.list

    run.executions.*

    • run.executions.cancel
    • run.executions.delete
    • run.executions.get
    • run.executions.list

    run.jobs.create

    run.jobs.delete

    run.jobs.get

    run.jobs.getIamPolicy

    run.jobs.list

    run.jobs.listEffectiveTags

    run.jobs.listTagBindings

    run.jobs.run

    run.jobs.runWithOverrides

    run.jobs.update

    run.locations.list

    run.operations.*

    • run.operations.delete
    • run.operations.get
    • run.operations.list

    run.revisions.*

    • run.revisions.delete
    • run.revisions.get
    • run.revisions.list

    run.routes.*

    • run.routes.get
    • run.routes.invoke
    • run.routes.list

    run.services.create

    run.services.delete

    run.services.get

    run.services.getIamPolicy

    run.services.list

    run.services.listEffectiveTags

    run.services.listTagBindings

    run.services.update

    run.tasks.*

    • run.tasks.get
    • run.tasks.list

    run.workerpools.create

    run.workerpools.delete

    run.workerpools.get

    run.workerpools.getIamPolicy

    run.workerpools.list

    run.workerpools.update

    serviceusage.quotas.get

    serviceusage.services.disable

    serviceusage.services.enable

    serviceusage.services.get

    serviceusage.services.use

    source.repos.get

    source.repos.list

    storage.buckets.create

    storage.buckets.delete

    storage.buckets.get

    storage.buckets.update

    storage.objects.create

    storage.objects.delete

    storage.objects.get

    storage.objects.list

    vpcaccess.connectors.get

    vpcaccess.connectors.use

    ( roles/ cloudfunctions.viewer )

    Read-only access to functions and locations.

    cloudasset. assets. searchAllResources

    cloudbuild.builds.get

    cloudbuild.builds.list

    cloudbuild.locations.*

    • cloudbuild.locations.get
    • cloudbuild.locations.list

    cloudbuild.operations.*

    • cloudbuild.operations.get
    • cloudbuild.operations.list

    cloudfunctions.functions.get

    cloudfunctions. functions. getIamPolicy

    cloudfunctions.functions.list

    cloudfunctions.locations.list

    cloudfunctions.operations.*

    • cloudfunctions.operations.get
    • cloudfunctions.operations.list

    eventarc. channelConnections. get

    eventarc. channelConnections. getIamPolicy

    eventarc. channelConnections. list

    eventarc.channels.get

    eventarc.channels.getIamPolicy

    eventarc.channels.list

    eventarc.enrollments.get

    eventarc. enrollments. getIamPolicy

    eventarc.enrollments.list

    eventarc.googleApiSources.get

    eventarc. googleApiSources. getIamPolicy

    eventarc.googleApiSources.list

    eventarc. googleChannelConfigs. get

    eventarc.kafkaSources.get

    eventarc. kafkaSources. getIamPolicy

    eventarc.kafkaSources.list

    eventarc.locations.*

    • eventarc.locations.get
    • eventarc.locations.list

    eventarc.messageBuses.get

    eventarc. messageBuses. getIamPolicy

    eventarc.messageBuses.list

    eventarc.messageBuses.use

    eventarc. multiProjectSources. collectGoogleApiEvents

    eventarc.operations.get

    eventarc.operations.list

    eventarc.pipelines.get

    eventarc. pipelines. getIamPolicy

    eventarc.pipelines.list

    eventarc.providers.*

    • eventarc.providers.get
    • eventarc.providers.list

    eventarc.triggers.get

    eventarc.triggers.getIamPolicy

    eventarc.triggers.list

    recommender. cloudFunctionsPerformanceInsights. get

    recommender. cloudFunctionsPerformanceInsights. list

    recommender. cloudFunctionsPerformanceRecommendations. get

    recommender. cloudFunctionsPerformanceRecommendations. list

    recommender.locations.*

    • recommender.locations.get
    • recommender.locations.list

    recommender. runServiceCostInsights. get

    recommender. runServiceCostInsights. list

    recommender. runServiceCostRecommendations. get

    recommender. runServiceCostRecommendations. list

    recommender. runServiceIdentityInsights. get

    recommender. runServiceIdentityInsights. list

    recommender. runServiceIdentityRecommendations. get

    recommender. runServiceIdentityRecommendations. list

    recommender. runServicePerformanceInsights. get

    recommender. runServicePerformanceInsights. list

    recommender. runServicePerformanceRecommendations. get

    recommender. runServicePerformanceRecommendations. list

    recommender. runServiceSecurityInsights. get

    recommender. runServiceSecurityInsights. list

    recommender. runServiceSecurityRecommendations. get

    recommender. runServiceSecurityRecommendations. list

    remotebuildexecution.blobs.get

    resourcemanager.projects.get

    resourcemanager.projects.list

    run.configurations.*

    • run.configurations.get
    • run.configurations.list

    run.executions.get

    run.executions.list

    run.jobs.get

    run.jobs.getIamPolicy

    run.jobs.list

    run.jobs.listEffectiveTags

    run.jobs.listTagBindings

    run.locations.list

    run.operations.get

    run.operations.list

    run.revisions.get

    run.revisions.list

    run.routes.get

    run.routes.list

    run.services.get

    run.services.getIamPolicy

    run.services.list

    run.services.listEffectiveTags

    run.services.listTagBindings

    run.tasks.*

    • run.tasks.get
    • run.tasks.list

    run.workerpools.get

    run.workerpools.getIamPolicy

    run.workerpools.list

    serviceusage.quotas.get

    serviceusage.services.get

    serviceusage.services.list

    Custom roles

    For developers that want to define their own roles containing bundles of permissions that they specify, IAM offers custom roles .

    If the role contains permissions that let a developer deploy functions, then you must perform the additional configuration in the next section.

    Additional configuration for deployment

    You use Identity and Access Management to authorize identities to perform administrative actions on functions created using the Cloud Functions v2 API —for example, using gcloud functions , the REST API, or Terraform. Administration actions include creating, updating, and deleting functions. For more information, see Authorize access with IAM .

    To deploy Cloud Run functions that were created with the Cloud Functions v1 API or v2 API, ask your administrator to grant you one of the following IAM roles:

    You must also grant the runtime service account and the Cloud Build service account the following role:

    These configurations don't impact the custom Cloud Build service account or the permissions required to build a function. For more information, see Build process overview .

    Console

    1. Go to the Google Cloud console:

      Go to Google Cloud console

    2. Select a project to display the runtime service accounts associated with it.

    3. Select a runtime service account from the Emailcolumn in the table:

      • For Cloud Run functions (1st gen), the default runtime service account is PROJECT_ID@appspot.gserviceaccount.com .
      • For Cloud Run functions, the default runtime service account is PROJECT_NUMBER-compute@developer.gserviceaccount.com .

    4. Display the Permissionstab.

    5. Click Grant Access.

    6. Enter the member (for example, user or group email) that you're granting the Admin or Developer role to.

    7. Under Assign Roles > Role, choose Service Accounts > Service Account User.

    8. Click Save.

    gcloud

    Cloud Run functions (1st gen):

    gcloud  
iam  
service-accounts  
add-iam-policy-binding  
 \ 
  
 PROJECT_ID 
@appspot.gserviceaccount.com  
 \ 
  
--member  
 MEMBER 
  
 \ 
  
--role  
roles/iam.serviceAccountUser

    Cloud Run functions:

    gcloud  
iam  
service-accounts  
add-iam-policy-binding  
 \ 
  
 PROJECT_NUMBER 
-compute@developer.gserviceaccount.com  
 \ 
  
--member  
 MEMBER 
  
 \ 
  
--role  
roles/iam.serviceAccountUser

    Optional permissions

    The following optional permissions can be considered when configuring accounts with a minimal permission set:

    • monitoring.timeSeries.list on the project level. Typically assigned through the roles/monitoring.viewer role. It allows user to access metrics generated by their function. For more information, go to the Stackdriver documentation for Access Control .
    • logging.logEntries.list on the project level. Typically assigned through the roles/logging.viewer role. It allows user to access logs generated by their function. For more information, go to the Access Control guide in the Stackdriver Logging documentation.
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: