service account roles to deploy google cloud function

A

5

I'm trying to use gcloud beta functions deploy from CI using a service account, but get an error:

(gcloud.beta.functions.deploy) ResponseError: status=[403], code=[Forbidden], message=[The caller does not have permission]

I can't find any roles in the IAM web console that look appropriate. Which one do I use?

Aile answered 16/6, 2017 at 10:54 Comment(4)

- Could you expand CI acronym? - Please run the command with --log-http to see which call is failing. - Please run gcloud auth list to check what account gcloud authenticates as. – Tripinnate 16/6, 2017 at 16:53

@BasketWeaver CI = Continuous Integration (Jenkins/Bamboo/Bitbucket pipeleines etc). I'm using a gcloud service account ([email protected]). It's pretty clear what's happening on the network - I'm trying to execute "gcloud.beta.functions.deploy" and the response is 403 because the service account does not have the correct priveleges. Adding "Owner" and "Editor" as QuestionAndAnswer suggests would likely fix the problem, but I was hoping for a more specific Role. – Aile 17/6, 2017 at 0:27

It seems there aren't any roles with narrower permissions that would allow deploying a function. And there are no permission for doing just that so it seems you can't even create your own role for that :( – Tripinnate 17/6, 2017 at 2:39

According to cloudfunctions.googleapis.com/$discovery/rest?version=v1beta2 the scope required is "googleapis.com/auth/cloud-platform" ...that still doesn't map to anything in the Roles though... – Aile 17/6, 2017 at 2:41

S

3

To deploy function user should have role roles/cloudfunctions.developer

I found this by changing role in UI. I couldn't find any official google documentation. This role is also mentioned in this article https://medium.com/google-cloud/triggering-cloud-functions-deployments-97691f9b5416

Selfconsequence answered 20/6, 2018 at 11:45 Comment(0)

P

5

Check your current config : gcloud config list

View result and check project = is exact same as your target project's PROJECT_ID.

You can list your projects : gcloud config set project

IMPORTANT

Project = is not set NAME. MUST SET PROJECT_ID.

Phraseologist answered 8/2, 2018 at 13:33 Comment(1)

Thank you @takashi! This is yet another misleading error message from google – Sikorski 13/1, 2020 at 7:10

D

5

This is the minimum role required for my Service Account (not the default Cloud Functions service account) to successfully deploy a Cloud Function using CI.

Cloud Functions Developer
Service Account User

From the docs

In order to assign a user the Cloud Functions Developer role (roles/cloudfunctions.developer) or a custom role that can deploy functions, you must also assign the user the IAM Service Account User role (roles/iam.serviceAccountUser) on the Cloud Functions Runtime service account.

Reference: https://cloud.google.com/functions/docs/reference/iam/roles

One thing which i don't understand is the mention of Runtime Service Account. You don't have to assign the Service Account User role to Runtime Service Account, rather it should be to your SA which you are using to deploy.(Not sure whether I understand the doc correctly)

Detector answered 4/11, 2018 at 20:38 Comment(0)

S

3

To deploy function user should have role roles/cloudfunctions.developer

I found this by changing role in UI. I couldn't find any official google documentation. This role is also mentioned in this article https://medium.com/google-cloud/triggering-cloud-functions-deployments-97691f9b5416

Selfconsequence answered 20/6, 2018 at 11:45 Comment(0)

I

0

You can always begin from this two options. At least they must work.

And make sure that you set up all required environment variables to make Default Application Credentials work.

Intrigante answered 16/6, 2017 at 13:41 Comment(2)

I was hoping for "Hi, I'm from google,we've just added 'Cloud Functions' Roles", but for now "Editor" works... – Aile 17/6, 2017 at 2:51

@NicholasAlbion that seems under expectation :) – Detector 4/11, 2018 at 8:11

M

0

It pretty much explains how to add the correct roles here: service account roles to deploy google cloud function

TLDR:

roles/cloudfunctions.developer
roles/iam.serviceAccountUser

Menstrual answered 12/3, 2023 at 7:5 Comment(1)

Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center. – Inebriate 17/3, 2023 at 9:39

Recommended topics

Hot tags