Search code examples
google-cloud-platformgoogle-cloud-functionsgoogle-iam

Missing Cloud Function User Agent role in Google Cloud IAM

I'm working on a series of Cloud Functions in one Google Cloud project and, for some reason, I suddenly get this error: 

Deployment failure:
Missing necessary permission resourcemanager.projects.getIamPolicy for service-1092904037961@gcf-admin-robot.iam.gserviceaccount.com on resource projects/la-cloud-functions. Please grant service-1092904037961@gcf-admin-robot.iam.gserviceaccount.com the Cloud Functions Service Agent role. You can do that by running 'gcloud iam service-accounts add-iam-policy-binding projects/la-cloud-functions --member=service-1092904037961@gcf-admin-robot.iam.gserviceaccount.com --role=Cloud Functions Service Agent'

Besides the badly formatted error response (you can't have --role=Cloud Functions Service Agent - it should be --role=roles/cloudfunctions.serviceAgent), when I try to run the amended command:

gcloud iam service-accounts add-iam-policy-binding projects/la-cloud-functions --member=service-1092904037961@gcf-admin-robot.iam.gserviceaccount.com --role=roles/cloudfunctions.serviceAgent

I get this error:

The requested URL <code>/v1/projects/la-cloud-functions/serviceAccounts/projects/la-cloud-functions:getIamPolicy?alt=json</code> was not found on this server.

Finally, trying to assign the Cloud Functions Server Agent role through the console gave me another surprise - the role is missing from the list, where it should be under Service Management:

enter image description here

I have tried to reset the service account by re-enabling the Cloud Functions API with this command:

gcloud services enable cloudfunctions.googleapis.com

But again, no success.

Anyone have any ideas on how to fix this problem and make the Cloud Functions Service Agent role available again?

TIA - Joe

Solution

  • Try the following steps to solve this:

    Disable Cloud Functions API:

    gcloud services disable cloudfunctions.googleapis.com --project la-cloud-functions

    Wait about a minute for the disable to complete.

    Delete the cloud functions member account using the CLI or using the GCP Console under IAM.

    gcloud projects remove-iam-policy-binding la-cloud-functions --member="serviceAccount:service-1092904037961@gcf-admin-robot.iam.gserviceaccount.com" --role="roles/cloudfunctions.serviceAgent"

    Wait about a minute. Then verify that this member has been removed in the GCP Console under IAM.

    Enable Cloud Functions API:

    gcloud services enable cloudfunctions.googleapis.com --project la-cloud-functions

    Go back to the GCP Console. You should find a new Google Cloud Functions Service Agent member.

    Note:

    You are using the wrong command to add cloudfunctions.serviceAgent. Here is the correct command:

    gcloud projects add-iam-policy-binding la-cloud-functions --member="serviceAccount:service-1092904037961@gcf-admin-robot.iam.gserviceaccount.com" --role="roles/cloudfunctions.serviceAgent"