This will create a service account and an IAM role that includes the 2 permissions, set the service account as a member of the role, and assign the service account to the cloud function.
This will do same as above, but create 2 IAM roles and bind them with those specific resources. That is, the storage permissions will only apply to my-storage-bucket and no other bucket, etc.
Existing behavior
Assigning serviceAccountEmail to a specific function will override the service account generated with IAM roles & that manual function identity will determine function capabilities
If iam is excluded from the provider definition and no serviceAccountEmail is specified, then functions will use the GCP project's default service account, which is the default behavior for deploying a 1st gen cloud function
TODO
I will add tests if this approach and the configuration setup looks OK
secures capabilities of cloud functions by creating custom iam roles for their function identity. takes a different approach from #223 by using Google Deployment Manager to create a service account and custom IAM role(s), and assigning those roles to service account. The deployment manager templates are based on these iam examples: https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/master/dm/templates/iam_custom_role/README.md and https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/master/dm/templates/iam_member/README.md
Usage
This will create a service account and an IAM role that includes the 2 permissions, set the service account as a member of the role, and assign the service account to the cloud function.
This will do same as above, but create 2 IAM roles and bind them with those specific resources. That is, the
storage
permissions will only apply tomy-storage-bucket
and no other bucket, etc.Existing behavior
serviceAccountEmail
to a specific function will override the service account generated with IAM roles & that manual function identity will determine function capabilitiesiam
is excluded from the provider definition and noserviceAccountEmail
is specified, then functions will use the GCP project's default service account, which is the default behavior for deploying a 1st gen cloud functionTODO
I will add tests if this approach and the configuration setup looks OK