13

I'm trying to create a schedule Cloud Function exporting my Firestore database to create backups. The code is running fine when serving on my local machine (which uses my personal user account with owner role) but failes once deployed. I already found out that I need to add the 'Storage Admin' and 'Datastore Import Export Admin' to the service account used when running the cloud function, but I can't figure out which service account is used for the functions.

Does anyone know which service account is used?

crysxd
  • 3,177
  • 20
  • 32

3 Answers3

29

Firebase Cloud Functions use the {project-id}@appspot.gserviceaccount.com service account (App Engine default service account). Roles and permissions added to this service account carry over to the Cloud Functions runtime.

Good to know: When using Google Cloud Functions, the service account being used while running the function can be defined when deploying the function.

crysxd
  • 3,177
  • 20
  • 32
2

You can specify a custom service account with the runWith() method if you prefer not to use the default one nowadays. It accepts a number of RuntimeOptions that can be defined.

Alex Bubblemaster
  • 46
  • 4
0

Here is a link to the documentation about cloud function's identity: https://cloud.google.com/functions/docs/securing/function-identity

Cloud Functions (1st gen) uses the App Engine default service account, PROJECT_ID@appspot.gserviceaccount.com.

Cloud Functions (2nd gen) uses the default compute service account, PROJECT_NUMBER-compute@developer.gserviceaccount.com.

Note that the project number is distinct from the project ID and project name. You can find your project number on the Google Cloud console Dashboard page.

jket
  • 418
  • 6
  • 9