Stay organized with collections
Save and categorize content based on your preferences.
Function Identity
This page provides supplemental information for configuring function identity for
functions created using the
gcloud functions commands or the
Cloud Functions v2 API.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[[["\u003cp\u003eCloud Run functions utilize service accounts as their identity to access other Google Cloud resources, and each function should preferably be assigned a dedicated, user-managed service account.\u003c/p\u003e\n"],["\u003cp\u003eBy default, Cloud Run functions use the project's default compute service account, which may have the Editor role unless an organization policy constraint is enforced to disable the automatic grant.\u003c/p\u003e\n"],["\u003cp\u003eFor enhanced security, it's advised to either change the permissions of the default service account to less permissive roles, or create and use individual user-managed service accounts for each function, granting them the least privilege necessary.\u003c/p\u003e\n"],["\u003cp\u003eYou can manage access by changing the default runtime service account permissions or create individual service accounts, and can connect a user-managed service account with your function during deployment or by updating an existing function.\u003c/p\u003e\n"],["\u003cp\u003eThe Compute Metadata Server allows Cloud Run functions to fetch OpenID Connect ID tokens or OAuth 2.0 access tokens, which are necessary for interacting with services that require specific authentication methods.\u003c/p\u003e\n"]]],[],null,["# Function Identity\n=================\n\nThis page provides supplemental information for configuring function identity for\nfunctions created using the\n[`gcloud functions`](/sdk/gcloud/reference/functions) commands or the\n[Cloud Functions v2 API](/functions/docs/reference/rest).\n\nIf you've created or deployed functions using Cloud Run, see\n[Introduction to service identity](/run/docs/securing/service-identity) and\n[Configure service identity for services](/run/docs/configuring/services/service-identity)\nfor a detailed description of configuring service identity. Cloud Run\nrefers to the function identity as the *service identity*.\n\nFor an introduction to the function identity concept, see the Cloud Run\n[Introduction to service identity](/run/docs/securing/service-identity) guide.\n\nAdd a user-managed service account at deployment\n------------------------------------------------\n\nWhen deploying a function using `gcloud functions deploy`, add the\n`--service-account` flag. For example: \n\n```bash\ngcloud functions deploy FUNCTION_NAME --service-account SERVICE_ACCOUNT_EMAIL\n```\n\nReplace \u003cvar translate=\"no\"\u003eFUNCTION_NAME\u003c/var\u003e with your function name, and\n\u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_EMAIL\u003c/var\u003e with the service account\nemail.\n\nUpdate the service account of an existing function\n--------------------------------------------------\n\nYou can update the runtime service account of an existing function.\n\nWhen deploying a function using `gcloud functions deploy`, add the\n`--service-account` flag: \n\n```bash\ngcloud functions deploy FUNCTION_NAME --service-account SERVICE_ACCOUNT_EMAIL\n```\n\nReplace \u003cvar translate=\"no\"\u003eFUNCTION_NAME\u003c/var\u003e with your function name, and\n\u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_EMAIL\u003c/var\u003e with the service account.\n\nThe redeployed function now uses the new runtime service account."]]
