- Knowledge Base
- Google Cloud Platform
- GCP Cloud Function
- Functions with Inactive Service Accounts
Ensure that your Google Cloud functions are are referencing existing, active service accounts in order to prevent execution failures and operational disruptions.
Operationalexcellence
A service account is essential for a Google Cloud function to execute successfully. It provides the necessary permissions and credentials for the function to access other resources and perform its tasks within the GCP cloud environment. If the service account is disabled or deleted, the function will fail to run, leading to service interruptions and potential data loss.
Audit
To determine if the service account associated with your Google Cloud function exists and is active, perform the following operations:
Using GCP Console
01 Sign in to the Google Cloud Management Console.
02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.
03 Navigate to Functions console available at https://console.cloud.google.com/functions/ to list the Google Cloud functions deployed for the selected GCP project.
04 Click on the name (link) of the function that you want to examine, listed in the Name column.
05 Select the DETAILS tab and copy the service account email available for the Service account attribute, listed under General Information.
06 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin/iam.
07 In the left navigation panel, choose Service accounts to list the service accounts created for the selected GCP project.
08 Click inside the Filter box, choose Email, paste the service account email copied at step no. 6, and press Enter. If no results are returned and the console shows the following message: No rows to display, the service account associated with the selected Google Cloud function is not available anymore (i.e. deleted), causing the function to fail during execution. If the console returns a service account for the specified email but the resource Status is set to Disabled, the service account associated with the selected function is disabled, causing a runtime error.
09 Repeat steps no. 4 - 8 for each Google Cloud function created for the selected GCP project.
10 Repeat steps no. 2 - 9 for each project deployed within your Google Cloud account.
Using GCP CLI
01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account:
gcloud projects list --format="value(projectId)"
02 The command output should return the requested GCP project ID(s):
cc-bigdata-project-123123 cc-iot-app-project-112233
03 Run functions list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name and the region of each Google Cloud function deployed within the selected project:
gcloud functions list --project cc-bigdata-project-123123 --format="(NAME,REGION)"
04 The command output should return the requested function names and the associated regions:
NAME: cc-project5-function REGION: us-central1 NAME: tm-stream-function REGION: us-central1 NAME: tm-vertex-function REGION: us-central1
05 Run functions describe command (Windows/macOS/Linux) with the name of the Google Cloud function that you want to examine as the identifier parameter, to describe the email of the service account associated with the selected function:
gcloud functions describe cc-project5-function --region=us-central1 --format="value(serviceConfig.serviceAccountEmail)"
06 The command output should return the email of the function's service account:
tm-function-service-account@cc-bigdata-project-123123.iam.gserviceaccount.com
07 Run service-accounts describe command (Windows/macOS/Linux) with the email of the service account returned at the previous step as the identifier parameter, to describe the configuration information available for the specified service account:
gcloud iam service-accounts describe tm-function-service-account@cc-bigdata-project-123123.iam.gserviceaccount.com --format="json"
08 The command output should return the requested configuration information:
{
"disabled": true,
"displayName": "Google Cloud function service account",
"email": "tm-function-service-account@cc-bigdata-project-123123.iam.gserviceaccount.com",
"etag": "ABCD1234ABCD",
"name": "projects/cc-bigdata-project-123123/serviceAccounts/tm-function-service-account@cc-bigdata-project-123123.iam.gserviceaccount.com",
"projectId": "cc-bigdata-project-123123"
}
If the service-accounts describe command output returns an error message such as: ERROR: (gcloud.iam.service-accounts.describe) PERMISSION_DENIED: Permission 'iam.serviceAccounts.get' denied on resource (or it may not exist), the service account associated with the selected Google Cloud function is not available anymore (i.e. deleted), causing the function to fail during execution. If the command output returns the service account information, as shown in the example above, check the "disabled" attribute value to determine the service account current status. If "disabled" is set to true, the service account associated with the selected function is disabled, causing a runtime error.
09 Repeat steps no. 5 - 8 for each Google Cloud function created for the selected GCP project.
10 Repeat steps no. 3 – 9 for each GCP project deployed in your Google Cloud account.
Remediation / Resolution
To create and configure service accounts for your Google Cloud functions, perform the following operations:
Using GCP Console
01 Sign in to the Google Cloud Management Console.
02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.
03 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin/iam and choose Service accounts.
04 If the service account associated with your Google Cloud function is disabled, click on the 3-dot button available in the Actions column, choose Enable and select ENABLE from the confirmation box to activate your function's service account. Enabling this service account will reactivate its existing keys.
05 If the service account associated with your Google Cloud function is no longer available, choose CREATE SERVICE ACCOUNT, and perform the following actions to create a new service account:
- For Service account details, provide a unique name and short description for the new service account. Choose CREATE AND CONTINUE to continue the setup process.
- For Grant this service account access to project, grant the appropriate access by selecting an IAM role from the Select a role dropdown list. (Optional) To add conditions, choose ADD IAM CONDITION to define your IAM conditions. Choose CONTINUE to continue the setup.
- (Optional) For Grant users access to this service account, grant access to users and/or groups that need to perform actions as this service account.
- Choose DONE to deploy your new service account.
06 Navigate to Functions console available at https://console.cloud.google.com/functions/ to list the Google Cloud functions deployed for the selected GCP project.
07 Click on the name (link) of the function that you want to configure, listed in the Name column.
08 Choose EDIT, expand the Runtime, build, connections and security settings configuration panel, select the RUNTIME tab, and choose your new service account from the Runtime service account dropdown list. Choose NEXT and DEPLOY to apply the changes and deploy a new revision for the selected function.
09 Repeat steps no. 3 - 8 for each Google Cloud function that you want to configure, available within the selected project.
10 Repeat steps no. 2 – 9 for each project deployed in your Google Cloud account.
Using GCP CLI
01 If the service account associated with your Google Cloud function is disabled, run iam service-accounts enable command (Windows/macOS/Linux) to enable your function's service account:
gcloud iam service-accounts enable tm-function-service-account@cc-bigdata-project-123123.iam.gserviceaccount.com
02 The command output should return the email of the reactivated service account:
Enabled service account [tm-function-service-account@cc-bigdata-project-123123.iam.gserviceaccount.com].
03 If the service account associated with your Google Cloud function is no longer available (i.e. deleted), run iam service-accounts create command (Windows/macOS/Linux) to create a new GCP service account for your Google Cloud function:
gcloud iam service-accounts create tm-function-service-account --display-name="Google Cloud Function Service Account" --project cc-bigdata-project-123123 --format="table(email)"
04 The command output should return the email of the new service account:
Created service account [tm-function-service-account]. EMAIL: tm-function-service-account1@cc-bigdata-project-123123.iam.gserviceaccount.com
05 Run add-iam-policy-binding command (Windows/macOS/Linux) to grant the appropriate IAM role to the newly created service account in order to allow that service account access to relevant resources. The following example assigns the Cloud Functions Invoker role (roles/cloudfunctions.invoker) to the new service account:
gcloud projects add-iam-policy-binding cc-bigdata-project-123123 --member serviceAccount:tm-function-service-account1@cc-bigdata-project-123123.iam.gserviceaccount.com --role roles/cloudfunctions.invoker
06 The command output should return the updated project IAM policy:
Updated IAM policy for project [cc-bigdata-project-123123]. bindings: - members: - serviceAccount:tm-function-service-account1@cc-bigdata-project-123123.iam.gserviceaccount.com role: roles/cloudfunctions.invoker - members: - serviceAccount:123456789012-compute@developer.gserviceaccount.com role: roles/editor - members: - user:devops@trendmicro.com role: roles/monitoring.admin - members: - user:manager@cloudconformity.com role: roles/owner etag: ABCDABCDABCD version: 1
07 Run functions deploy command (Windows/macOS/Linux) with the name of the Google Cloud function that you want to configure as the identifier parameter, to replace the missing service account associated with the selected function with your newly created service account:
gcloud functions deploy cc-project5-function --source=gs://gcf-v2-sources-123456789012-us-central1/cc-project5-function/function-source.zip --region=us-central1 --runtime=nodejs20 --trigger-http --service-account=tm-function-service-account@cc-bigdata-project-123123.iam.gserviceaccount.com
08 The command output should return the build information available for the redeployed function:
buildConfig:
automaticUpdatePolicy: {}
build: projects/123456789012/locations/us-central1/builds/abcd1234-abcd-1234-abcd-1234abcd1234abcd
dockerRegistry: ARTIFACT_REGISTRY
dockerRepository: projects/cc-bigdata-project-123123/locations/us-central1/repositories/gcf-artifacts
entryPoint: run-app
runtime: nodejs20
source:
storageSource:
bucket: gcf-v2-sources-123456789012-us-central1
generation: '1730285369954566'
object: cc-project5-function/function-source.zip
sourceProvenance:
resolvedStorageSource:
bucket: gcf-v2-sources-123456789012-us-central1
generation: '1730285369954566'
object: cc-project5-function/function-source.zip
createTime: '2024-10-28T09:49:12.051881848Z'
environment: GEN_2
labels:
deployment-tool: console-cloud
name: projects/cc-bigdata-project-123123/locations/us-central1/functions/cc-project5-function
serviceConfig:
allTrafficOnLatestRevision: true
availableCpu: 167m
availableMemory: 256Mi
environmentVariables:
LOG_EXECUTION_ID: 'true'
ingressSettings: ALLOW_ALL
minInstanceCount: 3
maxInstanceCount: 10
maxInstanceRequestConcurrency: 1
revision: cc-project5-function-00003-abc
service: projects/cc-bigdata-project-123123/locations/us-central1/services/cc-project5-function
serviceAccountEmail: 123456789012-compute@developer.gserviceaccount.com
timeoutSeconds: 60
uri: https://cc-project5-function-abcd1234abcd-uc.a.run.app
state: ACTIVE
updateTime: '2024-10-28T10:50:15.176254527Z'
url: https://us-central1-cc-bigdata-project-123123.cloudfunctions.net/cc-project5-function
09 Repeat steps no. 1 - 8 for each Google Cloud function that you want to configure, available in the selected project.
10 Repeat steps no. 1 – 9 for each GCP project deployed in your Google Cloud account.
References
- Google Cloud Platform (GCP) Documentation
- Secure your Cloud Run function
- Function Identity
- Types of service accounts
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud functions list
- gcloud functions describe
- gcloud iam service-accounts describe
- gcloud iam service-accounts create
- gcloud projects add-iam-policy-binding
- gcloud functions deploy
Related CloudFunction rules
- GCP Function using Service Account with Basic Roles (Security, operational-excellence)
- GCP Execution Runtime Environment Version (Security, reliability, cost-optimisation, operational-excellence, sustainability)
- GCP Function using Default Service Account (Security, operational-excellence)
- Functions with Inactive Service Accounts (Operational-excellence)