I have a cloud function that is triggered by a pub/sub topic. The cloud function is supposed to read in a filename from the topic, and then download the file using a Python storage client library. The job is running as a user created service account that has admin access to the bucket.
The job succeeds in reading in the filename and creating a storage client, but fails when accessing the bucket with the following error:
permission: "cloudfunctions.functions.getIamPolicy"
permissionType: "ADMIN_READ"
resource: "projects/****/locations/us-central1/functions/FUNCTION_NAME"
The error only says the cloud function itself is missing the permission, and I can’t find any mention of a service account in the error messages.
I have tried giving the Cloud Functions Service Agent ([email protected]) this permission based on this doc, but it did not resolve the error. Re-reading the doc now, it seems that our service account running the function should not need these permissions because it is created in the same project as the function.
Any ideas what is missing?
If the Cloud Function is triggered by a HTTP, by default, requests to a function with an HTTP trigger require authentication, it is possible to choose to allow unauthenticated calls during deployment or authenticated calls.
For both service accounts and user accounts, the name portion of the credential is usually an email address associated with the account, mentioned this, it is necessary to add the user’s email address to the Cloud Functions by granting them the role “roles/cloudfunctions.invoker”, to add members as principals to authenticate the function for the calls please follow the steps mentioned on this documentation.
Also you can use IAM to authorize access, for more information please visit the following link. Try adding the “Owner” role to the Service account associated with the Cloud Function. Assign the “Storage Object Admin” and “Storage Legacy Bucket Owner” roles to the service account
For more information follow this document.