FAQs

Only the versions returned in GET /api/v1/runtimes under supported.

Older runtimes can move into deprecating and then disabled. They are no longer selectable for new drafts, and deployments are blocked once their deploy window closes.

No. The public API now expects the split-field shape:

The backend still stores normalized audience and provider-resource values internally for runtime use.

Because DCF can authenticate against the workload identity provider but still cannot mint a short-lived access token for your target service account.

Grant roles/iam.workloadIdentityUser to the federated principal://…​ member returned by DCF on your customer-owned target service account, then retry verification. Use the exact setup command returned by DCF instead of hardcoding the principal. Apply that binding on the target service account’s own Permissions tab. Do not replace it with roles/iam.serviceAccountUser, and do not grant the role to the target service account itself in project IAM.

Yes.

DCF does not provision the customer-owned Google service account, workload identity pool, or workload identity provider in your GCP account. Create those resources first, then save their IDs in DCF.

After the connect step, run the exact roles/iam.workloadIdentityUser binding command returned by DCF, then retry verification.

Use POST /api/v1/projects/{projectId}/integrations/gcp/wif/diagnostics.

It runs the same backend chain DCF uses at runtime:

The optional bucket-list step is broader than the normal product path, so keep it for operator debugging only.

That is the recommended path. Upload the files first, save the returned storage paths, then send explicit artifact sources in the deployment request.

Azure verification proves the connected identity can reach the resource group and complete the WIF flow. Artifact uploads use Azure Blob data-plane access, which is separate.

Grant Storage Blob Data Contributor on the target storage account or container to the connected Azure identity, then re-run the bucket check.

Because the current AWS code paths separate role trust from S3 bucket access. OIDC verification proves DCF can assume the IAM role, but S3 artifact operations still depend on bucket credentials and permissions stored in the AWS integration.

After OIDC verification, run the AWS bucket check and save the bucket config before uploading artifacts.

The IAM trust policy does not exactly match the DCF runtime token claims. The AWS trust policy must match the runtime issuer, subject, and aud=sts.amazonaws.com exactly.

Fetch the current setup commands from DCF again if you are unsure which issuer or subject values to trust.

No. Identity verification and artifact storage configuration are separate steps.

Azure can help bootstrap runtime resources through its template flow, but the artifact container still needs to exist and be accessible.

AWS and GCP bucket setup also remain customer responsibilities.

Delete is blocked when the function is still live or when its latest deployment lifecycle row is still active. Undeploy first, then retry delete.

Use:

Firebase ID tokens in Authorization: Bearer <idToken>.