Cloud Functions and IAM

As with other Google Cloud products and services, Cloud Functions support permissions through IAM policies. There are two Cloud Functions with specific IAM roles: Cloud Functions Developer and Cloud Functions Viewer. The Cloud Functions Developer role provides agents with full read and write access to all functions-related resources. The Cloud Functions Viewer role provides view-only access to these resources. In addition, the three project-level primitive IAM roles also apply to Cloud Functions: Project Owner, Project Editor, and Project Viewer.

As mentioned earlier, invoked functions have access to a managed service account with Project Editor rights: appspot.gserviceaccount.com. Note, however, that all Cloud Functions administrative tasks leverage a separate service account: cloudservices.gserviceaccount.com. For example, this service account is used to create a new Pub/Sub subscription when provisioning a new Pub/Sub trigger for a function.