Google now supports IAM policies on HTTP cloud functions, and from November 1st new HTTP functions will be private by default.
Does Serverless have any way of supporting this? Eg to explicitly give HTTP functions “Cloud Invoker=allUsers”, which is currently the default.
Email from Google for reference:
Hello Google Cloud Functions Customer,
We’re writing to let you know that the Cloud Functions Identity and Access Management (IAM) beta period starts today, and as a result, you are now able to set Cloud IAM policies on your HTTP functions. This allows you to restrict access to specific developers, services, or end-users to improve the security of your functions.
What do I need to know?
Currently, all new and existing HTTP functions can be invoked by any client using the cloudfunctions.net URL associated with your function. This behavior remains unchanged, unless you update IAM policies to restrict access.
After November 1, 2019, newly created functions will be private-by-default, and will only be invocable by authorized clients unless you set a public IAM policy on the function. This ensures functions are not accidentally made public and also means that unauthorized requests will be rejected without incurring costs.
There will be no behavioral changes to existing functions; existing publicly-accessible functions will remain publicly-accessible unless you update the IAM policy on the function.
This change only affects HTTP functions. Background functions remain private and cannot have their access control changed.
How do I start using IAM?
To start restricting access using IAM, set an appropriate IAM policy and provide a bearer token when invoking functions.
To prevent any unexpected changes in behavior when functions become private-by-default, we recommend that you start using the new functionality in your workflows immediately.
How can I create public functions after November 1?
You can ensure that new functions are created publicly after November 1, 2019, by taking one of the following actions:
If you use the gcloud command-line interface to deploy functions, please update to the latest version and start using the --allow-unauthenticated flag. The --allow-unauthenticated flag is a shortcut to set an IAM policy that grants the Cloud Functions Invoker role to the allUsers member type.
If you use the Google Cloud Platform (GCP) console, you can use the “allow unauthenticated access” setting to achieve the same effect.
If you use the Firebase Command Line Interface, functions will continue to be deployed publicly even after the November 1, 2019, change.
If you use the API directly, issue a setIamPolicy request that grants the Cloud Functions Invoker role to the allUsers member type.
Note that the allUsers member type makes the function public in the same way existing functions are public: this allows unauthenticated access, so any user (in or outside of your project or organization) can access the function.
Additional changes required for deployment
In order to set IAM policies on a function (which includes making functions public), you need the cloudfunctions.functions.setIamPolicy permission, which is included in the new Cloud Functions Admin role and Project Owner role. If users or service accounts are currently granted the Cloud Functions Developer role, please migrate them to the Cloud Functions Admin role if they are required to modify the IAM policies on a function (including making a function public).
If your HTTP functions are in a project, folder, or organization subject to the Domain Restricted Sharing organization policy, you will not be able to make a function public until you opt the project out of this policy.