Function Identity

This page provides supplemental information for configuring function identity for functions created using the gcloud functions commands or the Cloud Functions v2 API.

If you've created or deployed functions using Cloud Run, see Introduction to service identity and Configure service identity for services for a detailed description of configuring service identity. Cloud Run refers to the function identity as the service identity.

For an introduction to the function identity concept, see the Cloud Run Introduction to service identity guide.

Add a user-managed service account at deployment

When deploying a function using gcloud functions deploy, add the --service-account flag. For example:

gcloud functions deploy FUNCTION_NAME --service-account SERVICE_ACCOUNT_EMAIL

Replace FUNCTION_NAME with your function name, and SERVICE_ACCOUNT_EMAIL with the service account email.

Update the service account of an existing function

You can update the runtime service account of an existing function.

When deploying a function using gcloud functions deploy, add the --service-account flag:

gcloud functions deploy FUNCTION_NAME --service-account SERVICE_ACCOUNT_EMAIL

Replace FUNCTION_NAME with your function name, and SERVICE_ACCOUNT_EMAIL with the service account.

The redeployed function now uses the new runtime service account.