How to assign a role to the service account of a Google Cloud Function?

Question

I have a Google Cloud Function designed to fetch a Firestore document.

The function works when I use the default Compute Engine service account. However, due to security reasons, I want to adopt the principle of least privilege and create a unique service account with only the specific roles required for my function.

I've created a new service account named [email protected] and attached it to the function. But currently, this service account does not have any permissions. So it can't view the Firestore document, and the function fails with a permission error.

I am attempting to assign the roles/datastore.viewer role to the service account using Google Cloud Console, as I believe this will provide the necessary permissions to retrieve the Firestore document. These were my steps:

1. IAM and Admin
2. Service Accounts
3. Clicked [email protected]
4. Permissions Tab
5. Grant Access button

But then the interface that appears is confusing.

It wants me to add a new principal, which I don't think I need to do. It's my understanding that the principal in this context would be the service account itself. Also, I can't find the Firestore Viewer role (roles/datastore.viewer) in the dropdown box. There's only a small amount of roles to choose from, I think many are missing.

Could someone guide me through the process of assigning the Firestore Viewer role to my new service account, either via Google Cloud Console or gcloud CLI?

Answer 1

This was incredibly frustrating, but I figured it out in the end.

Using the console:

The problem was that when creating a service account there is a wizard with 3 steps. Step 2 and 3 are marked as optional. And if you skip over step 2 then the service account is created with no roles.

So this entire situtation can be avoided by just assigning the required roles during step 2 of the wizard of the service account creation.

If you have already created the service account without any roles, then it needs to be done at the "project level". By following:

1. Click IAM and Admin
2. Click IAM. You will not see your service account here yet because it does not have any project roles.
3. Click Grand Access button
4. In the "Add principals" box input your service account email. You can also search for it here and it will show up.
5. In the "Assign Roles" drop down assign your roles
6. Now refresh the IAM page and you will see your service account in the list. You can come back here to edit or add additional roles if you want later.

Using gcloud:

You can also use the below gcloud command to create a service account:

gcloud iam service-accounts create SA_NAME \
    --description="DESCRIPTION" \
    --display-name="DISPLAY_NAME"

And then use the following gcloud command to add a role:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="serviceAccount:SA_NAME@PROJECT_ID.iam.gserviceaccount.com" \
    --role="ROLE_NAME"

Note: It seems you cannot add multiple roles with one gcloud command. So just repeat the same command if you want to add multiple roles.