Method: projects.locations.functions.generateUploadUrl

Returns a signed URL for uploading a function source code. For more information about the signed URL usage see: Once the function source code upload is complete, the used signed URL should be provided in functions.create or functions.patch request as a reference to the function source code.

When uploading source code to the generated signed URL, please follow these restrictions:

  • Source file type should be a zip file.
  • No credentials should be attached - the signed URLs provide access to the target bucket using internal service identity; if credentials were attached, the identity from the credentials would be used, but that identity does not have permissions to upload files to the URL.

When making a HTTP PUT request, specify this header:

  • content-type: application/zip

Do not specify this header:

  • Authorization: Bearer YOUR_TOKEN

HTTP request


Path parameters



Required. The project and location in which the Google Cloud Storage signed URL should be generated, specified in the format projects/*/locations/*. It takes the form projects/{project}/locations/{location}.

Authorization requires the following IAM permission on the specified resource parent:

  • cloudfunctions.functions.sourceCodeSet

Request body

The request body contains data with the following structure:

JSON representation
  "kmsKeyName": string,
  "environment": enum (Environment)


[Preview] Resource name of a KMS crypto key (managed by the user) used to encrypt/decrypt function source code objects in intermediate Cloud Storage buckets. When you generate an upload url and upload your source code, it gets copied to an intermediate Cloud Storage bucket. The source code is then copied to a versioned directory in the sources bucket in the consumer project during the function deployment.

It must match the pattern projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}.

The Google Cloud Functions service account (service-{project_number} must be granted the role 'Cloud KMS CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter)' on the Key/KeyRing/Project/Organization (least access preferred).


enum (Environment)

The function environment the generated upload url will be used for. The upload url for 2nd Gen functions can also be used for 1st gen functions, but not vice versa. If not specified, 2nd generation-style upload URLs are generated.

Response body

Response of GenerateSourceUploadUrl method.

If successful, the response body contains data with the following structure:

JSON representation
  "uploadUrl": string,
  "storageSource": {
    object (StorageSource)


The generated Google Cloud Storage signed URL that should be used for a function source code upload. The uploaded file should be a zip archive which contains a function.


object (StorageSource)

The location of the source code in the upload bucket.

Once the archive is uploaded using the uploadUrl use this field to set the function.build_config.source.storage_source during functions.create and functions.patch.

Generation defaults to 0, as Cloud Storage provides a new generation only upon uploading a new object or version of an object.

Authorization scopes

Requires the following OAuth scope:


For more information, see the Authentication Overview.