Stay organized with collections Save and categorize content based on your preferences.
Function Identity
This page provides supplemental information for configuring function identity for functions created using the gcloud functions commands or the Cloud Functions v2 API.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-05-14 UTC."],[[["Cloud Run functions utilize service accounts as their identity to access other Google Cloud resources, and each function should preferably be assigned a dedicated, user-managed service account."],["By default, Cloud Run functions use the project's default compute service account, which may have the Editor role unless an organization policy constraint is enforced to disable the automatic grant."],["For enhanced security, it's advised to either change the permissions of the default service account to less permissive roles, or create and use individual user-managed service accounts for each function, granting them the least privilege necessary."],["You can manage access by changing the default runtime service account permissions or create individual service accounts, and can connect a user-managed service account with your function during deployment or by updating an existing function."],["The Compute Metadata Server allows Cloud Run functions to fetch OpenID Connect ID tokens or OAuth 2.0 access tokens, which are necessary for interacting with services that require specific authentication methods."]]],[]]
