Service account

Cloud functions require a service account to use during runtime, granting the function permissions to use other Google Cloud Platform (GCP) services. There are some permissions commonly required for DataFlow Functions.

Creating/adding service account

When configuring your Cloud function:

  1. Locate the Runtime service account section of the Runtime, build, connections and security settings.

  2. If you already have a service account for this purpose, you may select it here. Otherwise, select Create new service account.

  3. Specify the account name and ID.

  4. Click Create service account.

    You will need to add permissions to the Service Account separately.

When configuring Secrets accessible to the Cloud function, the console automatically prompts you to grant the necessary permissions to the Runtime Service Account. For more information on this, see the Google Cloud Secret Manager section in Parameters.

Adding additional role to service account

When providing custom extensions or resources from a Cloud Storage bucket, you need to add an additional role to the Service Account:

  1. Navigate to the IAM & Admin GCP service, and select Roles on the left sidebar.

  2. Click Create role.

  3. Name the role.

  4. Click Add permissions.

  5. In the Filter section, add storage.buckets.get for Enter property name or value.

  6. Click Add.

  7. Do the same for the storage.buckets.list permission.

  8. Click Create.

  9. Select IAM from the left sidebar.

  10. Locate your Cloud function's Runtime Service Account, and click the Edit pencil icon on the far right.

  11. In the Role drop-down menu, select Custom > your newly created Role on the right side.

  12. Click Save.

For additional information, see Cloud Storage.

Your Service Account now allows your Cloud function to list and get objects from buckets.

Granting service account access to specific bucket

You need to grant your Service Account access to the specific bucket configured in the CLOUD_STORAGE_BUCKET environment variable:

  1. Navigate to the Cloud Storage GCP service, and click your bucket name.

  2. Select the Permissions tab under the bucket name.

  3. In the Permissions section, click Add.

  4. Provide the fully qualified name of the Runtime Service Account.

    For example:

  5. In Select a role, select Cloud Storage on the left, and Storage Object Viewer on the right.

  6. Click Save.