Search code examples
google-cloud-platformgoogle-cloud-functionsgoogle-cloud-buildgoogle-cloud-iam

What roles do my Cloud Build service account need to deploy an http triggered unauthenticated Cloud Function?

I was trying to deploy an http triggered Cloud Function with Cloud Build using this configuration.

steps:
- name: 'gcr.io/cloud-builders/gcloud'
  args:
  - beta
  - functions
  - deploy
  - myfunction
  - --source=start_shopify_installation
  - --trigger-http
  - --region=europe-west1
  - --runtime=nodejs14
  - --allow-unauthenticated
  - --ingress-settings=all
  - --security-level=secure-always
  - --set-secrets=env_1=secret_1:latest

When I got an error saying Cloud Build could't set an IAM policy.

WARNING: Setting IAM policy failed, try:
gcloud alpha functions add-iam-policy-binding myfunction\
  --region=europe-west1 \
  --member=allUsers \
  --role=roles/cloudfunctions.invoker

The function gets deployed and when I check in the GCP console it looks like the allUsers member has the role Cloud Functions Invoker, but it doesn't have allow unauthenticated in the Authentication column. When I go to invoke the function I get a 'missing permissions' error.

When I execute the suggested command from my Cloud Shell it works just fine. However if I fill it in as an extra step in my deployment configuration that step fails. I think that my Cloud Build service account must be missing a role in order to make the function accessible without authetication? Currently it has these roles: Cloud Build Service Account, Cloud Functions Developer and Service Account User.

EDIT

I added the Project IAM Admin role to the Cloud Build service account and tried again. Roles for my Cloud Build service account Unfortunately, it didn't change anything.

Solution

  • I reproduced your error (warning) on my side and fixed it: I can see allUsers having Cloud Functions Invoker role in the function's PERMISSIONS tab.

    In fact your cloud build service account needs the cloudfunctions.functions.setIamPolicy permission. So the solution is replace Cloud Functions Developer role with Cloud Functions Admin role.

    Use of the --allow-unauthenticated flag modifies IAM permissions. To ensure that unauthorized developers cannot modify function permissions, the user or service that is deploying the function must have the cloudfunctions.functions.setIamPolicy permission. This permission is included in both the Owner and Cloud Functions Admin roles.

    Ref: https://cloud.google.com/functions/docs/securing/managing-access-iam#at_deployment