👀 Views: 79 💬 Answers: 1 📅 Created: 2025-10-17

GCP Cloud Functions IAM VPC yaml

I'm deploying to production and I'm migrating some code and Recently started working with Google Cloud Functions for a serverless architecture that integrates with our existing services... Given the sensitive nature of our data, implementing robust security measures is a top priority. Currently, I'm trying to ensure that only the right users have access to specific Cloud Functions. I’ve configured IAM roles, assigning minimum necessary permissions based on the principle of least privilege, but I’m unsure if I'm covering all angles. Here’s how I’ve set up the roles: ```yaml # IAM Policy binding for Cloud Function { "bindings": [ { "role": "roles/cloudfunctions.invoker", "members": ["user:example@example.com"] } ] } ``` In addition to IAM, I read about using VPC Service Controls to create a security perimeter around my Cloud Functions to prevent data exfiltration. However, the documentation seems a bit convoluted. I’m particularly interested in how to set up a service perimeter effectively and ensure that my Cloud Functions can still communicate with other GCP services like Cloud Pub/Sub and Firestore without breaking any functionality. I attempted to create a service perimeter with the following configuration: ```json { "name": "access-levels/cloud-functions-perimeter", "spec": { "resources": ["projects/my-project-id"], "restrictedServices": ["storage.googleapis.com", "pubsub.googleapis.com"] } } ``` This seems to limit access, but I’m not completely clear if I’ve set it up correctly or if there are better strategies for securing Cloud Functions. Any insights on these configurations or additional steps that can help fortify my security measures would be greatly appreciated. Thanks in advance! I'm using Yaml 3.10 in this project. I'd love to hear your thoughts on this.