Why do we need to setup the deployment of Cloud Functions?
The deployment of GCP's cloud function is strongly recommended for Application team to setup to avoid the following problems:
- Over granting unnecessary permissions to account
- If you simply grant "Owner" or "Editor" permission to the project IAM, this will allow the account to have permission to do more than the account is allowed to.
- Security Practice: Always grant the least priviledge permission required.
- Complicated process to allow new developers to deploy Cloud Functions
- Due to the number of resources required to deploy Cloud Function, it becomes complex to onboard new resources to perform deployment.
- This can be simplified by setting up pipeline deployment.
- With a dedicated service account used to perform the deployment.
- Due to the number of resources required to deploy Cloud Function, it becomes complex to onboard new resources to perform deployment.
How can I setup the correct permission to deploy Cloud Functions?
To configure the GCP project, the following actions will be required to be taken:
- Enable the required Google API for the GCP project:
- Cloud Deployment Manager V2 API
- Cloud Functions API
- Compute Engine API
- Artifact Registry API
- Cloudbuild API
- Service Account to perform the deployment requires the following permission:
- App Engine Deployer
- Cloud Functions Developer
- Pipeline Deployer (Solvay)
- On the App Engine default service account (Gen1) / Compute Engine default service account (Gen2) permission:
- Grant "Service Account User" to the Service Account performing the deployment.
- Grant "Service Account User" to the Service Account performing the deployment.
- Compute Engine default service account (used by the cloud build)
- Artifact Registry Writer
- Storage Object Viewer
- Logs Writer
If your deployment of cloud functions required changes to the settings, you will not be able to do it. Please contact the GCP CloudOps to delete the existing cloud function first. |