Google Function service account

4
votes

I'm trying to deploy a function to Google Function running as a different service account other than the default "PROJECT_ID"@appspot.gserviceaccount.com.

Is this even possible?

What I've tried until now is:

  1. Auth as the service account and run the deploy command
  2. Auth as the service account and run the deploy command using "--account"

The functions keep getting deployed with the default serviceAccount.

Thanks

EDIT (2019/02/13):

As stated by @JJC, This is now available via gcloud beta features via:

gcloud beta functions deploy ... --service-account=$YOUR_SA_HERE
3
google-cloud-platformgoogle-cloud-functionsservice-accounts

3 Answers

3
votes

This is now available via gcloud beta features:

gcloud beta functions deploy ... --service-account=$YOUR_SA_HERE

2
votes

Update Oct 2018

This is available now via gcloud alpha sdk, i.e

gcloud alpha functions deploy --service-account=SERVICE_ACCOUNT

The email address of the IAM service account associated with the function at runtime. The service account represents the identity of the running function, and determines what permissions the function has. If not provided, the function will use the project's default service account.

A note: It's probably necessary to sign up for the alpha in order to use. When I try it (not having signed up for alpha), it deploys without error, but seems to ignore the new flag and use the default service account.

The good news is that it is coming, hopefully it will hit beta soon.

For anyone that may be interested, here is a link to a great use case with example code -- basic solution to secure secrets in your cloud functions: Secrets in Serverless | Seth Vargo

1
votes

Found the answer on the Google issue tracker: https://issuetracker.google.com/issues/63801748

It's a feature that is still not available at the moment.