Stay organized with collections Save and categorize content based on your preferences.
You use Identity and Access Management (IAM) to authorize identities to perform administrative actions on functions created using the Cloud Functions v2 API—for example, using gcloud functions, the REST API, or Terraform. Administration actions include creating, updating, and deleting functions. For information about IAM access for functions created with Cloud Run, see Access control with IAM.
In IAM, you grant principals (the identities you want to enable, usually a user or service account email) the appropriate IAM roles on the function or project. These roles include permissions that define the actions the principal is allowed to do.
Note: By default, entities that need to invoke an HTTP function must explicitly present authentication credentials (proof of identity) as well as having the required permissions. The authentication requirement, however, can be turned off. For more information on how to acquire and present the appropriate authentication credential, see Authenticating for invocation. Before you beginTo get the permission that you need to control access for a specific function or all functions in a project, ask your administrator to grant you the Cloud Functions Admin (roles/roles/cloudfunctions.admin) IAM role on the function or the project. For more information about granting roles, see Manage access to projects, folders, and organizations.
This predefined role contains the cloudfunctions.functions.setIamPolicy permission, which is required to control access for a specific function or all functions in a project.
You might also be able to get this permission with custom roles or other predefined roles.
See Cloud Functions IAM roles for the full list of roles and their associated permissions.
Note: You can't grant roles toallUsers and allAuthenticatedUsers at the project level. Enabling access to a function
You can control actions on a function by granting or restricting roles to individual identities through IAM.
Adding principals and granting rolesUse the gcloud functions add-iam-policy-binding command:
gcloud functions add-iam-policy-binding FUNCTION_NAME \ --member=PRINCIPAL_ID \ --role=ROLE
where FUNCTION_NAME is the function name, PRINCIPAL_ID is the principal's identifier, usually an email, and ROLE is the role.
For a list of sources that can provide a PRINCIPAL_ID, see Principal identifiers.. For a list of acceptable values for ROLE, see the IAM roles reference page.
Use the gcloud functions remove-iam-policy-binding command:
gcloud functions remove-iam-policy-binding FUNCTION_NAME \ --member=PRINCIPAL_ID \ --role=ROLE
where FUNCTION_NAME is the function name, PRINCIPAL_ID is the email address that identifies the service account, prefaced with serviceAccount:, and ROLE is the role.
For a list of acceptable sources for PRINCIPAL_ID, see Principal identifiers. For a list of possible values for ROLE, see the IAM roles reference page.
If the principal has been granted multiple roles, make sure you specify the one you want to remove.
Bulk addition of principalsCreate an IAM policy named, for example, policy.json:
{
"bindings": [
{
"role": ROLE,
"members": [
PRINCIPAL_ID
]
}
]
}
Use the gcloud functions set-iam-policy command:
gcloud functions set-iam-policy FUNCTION_NAME policy.json
For a list of acceptable sources for PRINCIPAL_ID, see Principal identifiers. For a list of acceptable values for ROLE, see the IAM roles reference page.
To view principals, use the gcloud functions get-iam-policy command:
gcloud functions get-iam-policy FUNCTION_NAMEAllowing unauthenticated HTTP function invocation
To allow unauthenticated invocations you must specify this at or after deployment.
You use a special variant of the approach described earlier to grant unauthenticated invokers the ability to invoke an HTTP function.
If you are developing functions in a project that is subject to the Domain Restricted Sharing organization policy you will be unable to allow unauthenticated invocation of a function.
Note: Event-driven functions can only be invoked by the event source to which they are subscribed. At deploymentThe gcloud functions deploy command includes a prompt to help you configure invocation permissions during function creation. It can also include the --allow-unauthenticated flag:
gcloud functions deploy FUNCTION_NAME \ --trigger-http \ --allow-unauthenticated \ ...
Subsequent deployments of the same function don't change its status, even if you don't use this flag.
Note: Use of the--allow-unauthenticated flag modifies IAM permissions. To ensure that unauthorized developers cannot modify function permissions, the user or service that is deploying the function must have the cloudfunctions.functions.setIamPolicy permission. This permission is included in both the Owner and Cloud Functions Admin roles. See IAM roles for the full list of roles and their associated permissions. After deployment
Use the gcloud run services add-iam-policy-binding command to grant the roles/run.invoker role to the specific function:
gcloud run services add-iam-policy-binding FUNCTION_NAME \ --member="allUsers" \ --role="roles/run.invoker"
See the gcloud run add-iam-policy-binding reference for more information about these fields.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-07 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["IAM (Identity and Access Management) is used to manage administrative actions on Cloud Run functions, such as creating, updating, and deleting functions."],["To control access to a function or project, you need the Cloud Run functions Admin IAM role, which includes the `cloudfunctions.functions.setIamPolicy` permission."],["Principals can be granted or have roles removed through gcloud commands, like `gcloud functions add-iam-policy-binding` and `gcloud functions remove-iam-policy-binding`, by specifying the function name, principal ID, and role."],["HTTP functions typically require authentication, but unauthenticated invocation can be enabled during deployment using the `--allow-unauthenticated` flag or afterward via the `gcloud run services add-iam-policy-binding` command."],["Domain Restricted Sharing organization policies prevent unauthenticated function invocation, and functions that require this must be deployed before this policy is set, or in a project where this policy is removed."]]],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4