Add support for service account in functions.runWith (#770)

* Add support for service account in `functions.runWith`

* Add email validation and email generation by project id

* Changing to serviceAccount, and adding default as an option

* adds a test case for default

* refactoring to checxk for @ at the end of service account, and throw erros earlier when service account is set to something invalid

* gets rid of repeated @ for generated service account emails

Co-authored-by: joehan <[email protected]>

Author: egor-miasnikov

spec/function-builder.spec.ts

@@ -238,4 +238,52 @@ describe('FunctionBuilder', () => {
       )}`
     );
   });
+
+  it('should allow a serviceAccount to be set as-is', () => {
+    const serviceAccount = '[email protected]';
+    const fn = functions
+      .runWith({
+        serviceAccount,
+      })
+      .auth.user()
+      .onCreate((user) => user);
+
+    expect(fn.__trigger.serviceAccountEmail).to.equal(serviceAccount);
+  });
+
+  it('should allow a serviceAccount to be set with generated service account email', () => {
+    const serviceAccount = 'test-service-account@';
+    const projectId = process.env.GCLOUD_PROJECT;
+    const fn = functions
+      .runWith({
+        serviceAccount,
+      })
+      .auth.user()
+      .onCreate((user) => user);
+
+    expect(fn.__trigger.serviceAccountEmail).to.equal(
+      `test-service-account@${projectId}.iam.gserviceaccount.com`
+    );
+  });
+
+  it('should not set a serviceAccountEmail if service account is set to `default`', () => {
+    const serviceAccount = 'default';
+    const fn = functions
+      .runWith({
+        serviceAccount,
+      })
+      .auth.user()
+      .onCreate((user) => user);
+
+    expect(fn.__trigger.serviceAccountEmail).to.be.undefined;
+  });
+
+  it('should throw an error if serviceAccount is set to an invalid value', () => {
+    const serviceAccount = 'test-service-account';
+    expect(() => {
+      functions.runWith({
+        serviceAccount,
+      });
+    }).to.throw();
+  });
 });

src/cloud-functions.ts

@@ -272,6 +272,7 @@ export interface TriggerAnnotated {
     timeout?: string;
     vpcConnector?: string;
     vpcConnectorEgressSettings?: string;
+    serviceAccountEmail?: string;
   };
 }
 
@@ -525,5 +526,24 @@ export function optionsToTrigger(options: DeploymentOptions) {
     trigger.vpcConnectorEgressSettings = options.vpcConnectorEgressSettings;
   }
 
+  if (options.serviceAccount) {
+    if (options.serviceAccount === 'default') {
+      // Do nothing, since this is equivalent to not setting serviceAccount.
+    } else if (options.serviceAccount.endsWith('@')) {
+      if (!process.env.GCLOUD_PROJECT) {
+        throw new Error(
+          `Unable to determine email for service account '${options.serviceAccount}' because process.env.GCLOUD_PROJECT is not set.`
+        );
+      }
+      trigger.serviceAccountEmail = `${options.serviceAccount}${process.env.GCLOUD_PROJECT}.iam.gserviceaccount.com`;
+    } else if (options.serviceAccount.includes('@')) {
+      trigger.serviceAccountEmail = options.serviceAccount;
+    } else {
+      throw new Error(
+        `Invalid option for serviceAccount: '${options.serviceAccount}'. Valid options are 'default', a service account email, or '{serviceAccountName}@'`
+      );
+    }
+  }
+
   return trigger;
 }

src/function-builder.ts

@@ -99,6 +99,16 @@ function assertRuntimeOptionsValid(runtimeOptions: RuntimeOptions): boolean {
       }
     }
   }
+
+  if (
+    runtimeOptions.serviceAccount &&
+    runtimeOptions.serviceAccount !== 'default' &&
+    !_.includes(runtimeOptions.serviceAccount, '@')
+  ) {
+    throw new Error(
+      `serviceAccount must be set to 'default', a service account email, or '{serviceAccountName}@'`
+    );
+  }
   return true;
 }
 
@@ -139,9 +149,12 @@ export function region(
  *    0 to 540.
  * 3. `failurePolicy`: failure policy of the function, with boolean `true` being
  *    equivalent to providing an empty retry object.
- * 4. `vpcConnector`: id of a VPC connector in the same project and region
- * 5. `vpcConnectorEgressSettings`: when a `vpcConnector` is set, control which
- *    egress traffic is sent through the `vpcConnector`.
+ * 4. `vpcConnector`: id of a VPC connector in same project and region.
+ * 5. `vpcConnectorEgressSettings`: when a vpcConnector is set, control which
+ *    egress traffic is sent through the vpcConnector.
+ * 6. `serviceAccount`: Specific service account for the function.
+ * 7. `ingressSettings`: ingress settings for the function, which control where a HTTPS
+ *    function can be called from.
  *
  * Value must not be null.
  */

src/function-configuration.ts

@@ -122,6 +122,11 @@ export interface RuntimeOptions {
    */
   vpcConnectorEgressSettings?: typeof VPC_EGRESS_SETTINGS_OPTIONS[number];
 
+  /**
+   * Specific service account for the function to run as
+   */
+  serviceAccount?: 'default' | string;
+
   /**
    * Ingress settings
    */