What this usually means
These failures typically indicate a mismatch between the region of the Cloud Function and the region of a depended-on resource (like a Pub/Sub topic or bucket), or insufficient IAM permissions for the Cloud Build service account to deploy. The Cloud Build service account must have roles/cloudfunctions.developer and roles/iam.serviceAccountUser on the function's runtime service account. Also, if you've previously deployed a function with the same name in another region, GCP enforces region consistency for the function name.
The first ten minutes — establish facts before touching code.
- 1Run `gcloud functions list --filter="name=YOUR_FUNCTION_NAME" --format="value(region)"` to see if the function already exists in a different region.
- 2Check the Cloud Build service account email with `gcloud projects get-iam-policy YOUR_PROJECT_ID --filter="bindings.role:roles/cloudbuild.builds.builder" --format="json"` and verify it has roles/cloudfunctions.developer and roles/iam.serviceAccountUser.
- 3Inspect the function's trigger resource (e.g., Pub/Sub topic, bucket) and confirm it's in the same region as the function you're deploying.
- 4Run `gcloud functions deploy --no-gen2` if you're accidentally using gen2 defaults that may conflict.
- 5Examine Cloud Build logs in the GCP console under Cloud Build > History for the failed build to find specific error messages.
The specific files, logs, configs, and dashboards that usually own this bug.
- searchCloud Build logs: gcloud beta builds list --filter="status=FAILURE" --format="value(id)" then gcloud beta builds log BUILD_ID
- searchIAM page in GCP console: Check the Cloud Build service account (usually PROJECT_NUMBER@cloudbuild.gserviceaccount.com)
- searchgcloud functions describe YOUR_FUNCTION_NAME --region YOUR_REGION --format="json" to see current configuration
- searchThe function's source code directory: verify that the region in the .gcloudignore or cloudbuild.yaml is not overriding
- searchPub/Sub topic or bucket region: gcloud pubsub topics describe TOPIC_NAME --format="value(kmsKeyName)" (KMS key implies CMEK, but region is implicit)
Practical causes, not theory. These are the things you will actually find.
- warningFunction previously deployed in region A, now trying to deploy to region B with the same name
- warningCloud Build service account missing roles/cloudfunctions.developer or roles/iam.serviceAccountUser
- warningTrigger resource (e.g., Pub/Sub topic, bucket) exists in a different region than the function
- warningUsing a VPC connector that is in a different region than the function
- warningMissing 'cloudfunctions.googleapis.com' API enablement or stale service agent
- warningEnvironment variable changes that cause a new function to be created instead of updated, triggering region conflict
Concrete fix directions. Pick the one that matches your root cause.
- buildIf region mismatch: either delete the existing function (`gcloud functions delete FUNCTION_NAME --region OLD_REGION`) or deploy with `--region OLD_REGION`
- buildGrant Cloud Build service account required IAM roles: `gcloud projects add-iam-policy-binding PROJECT_ID --member='serviceAccount:PROJECT_NUMBER@cloudbuild.gserviceaccount.com' --role='roles/cloudfunctions.developer'` and `--role='roles/iam.serviceAccountUser'`
- buildEnsure trigger resource is in the same region: if not, create a new resource in the correct region or change function region
- buildEnable APIs and re-create service agent: `gcloud services enable cloudfunctions.googleapis.com cloudbuild.googleapis.com` then `gcloud beta services identity create --service=cloudfunctions.googleapis.com`
A fix you cannot prove is a guess. Close the loop.
- verifiedRun `gcloud functions deploy FUNCTION_NAME --region REGION --entry-point ENTRY_POINT --runtime python310 --trigger-topic TOPIC_NAME` and check for success message
- verifiedVerify function is ACTIVE with `gcloud functions describe FUNCTION_NAME --region REGION --format='value(status)'`
- verifiedTest the function by invoking it (e.g., `gcloud functions call FUNCTION_NAME --region REGION --data '{}'`)
- verifiedCheck Cloud Build logs for the successful build: `gcloud builds list --filter="images:FUNCTION_NAME" --limit=1 --format="value(status)"`
Things that make this bug worse or harder to find.
- warningDon't delete the function if it's serving production traffic; instead, deploy to the same region as the existing function
- warningDon't grant overly broad IAM roles like roles/owner to the Cloud Build service account; use least privilege
- warningDon't assume the function will auto-detect the region from the trigger; explicitly set --region
- warningDon't ignore Cloud Build logs; they contain the actual error message
- warningDon't use --allow-unauthenticated without testing authentication first; it can cause deployment timeouts
- warningDon't forget to update the region in your CI/CD pipeline if you change the function region
The Region That Ghosted My Function
Timeline
- 14:00Deployed function 'process-orders' to us-central1 with Pub/Sub topic 'orders'.
- 14:05Deployment succeeded, function active.
- 14:30Team decides to move function to europe-west1 for data residency.
- 14:35Run gcloud functions deploy with --region=europe-west1, same function name.
- 14:36Error: 'The provided region does not match the region of the existing resource'.
- 14:38Check existing function: it's still in us-central1. I rename function to 'process-orders-v2'.
- 14:40Deployment proceeds but hangs at 'Deploying function' for 5 minutes.
- 14:45Error: 'Cloud Build service account does not have permission to access the function service account'.
- 14:50Checked IAM: missing roles/iam.serviceAccountUser on the runtime service account.
- 15:00Granted the role and redeployed. Success in 2 minutes.
I was migrating a Cloud Function to a new region for data residency. I thought I could just change the --region flag and redeploy with the same name. That was my first mistake — GCP enforces that function names are unique per project across all regions. So when I tried to deploy 'process-orders' in europe-west1, it clashed with the existing one in us-central1. I renamed it to 'process-orders-v2' to get past that error.
But then the deployment hung for five minutes. I checked Cloud Build logs and saw the actual error: 'The Cloud Build service account does not have iam.serviceAccountUser on the runtime service account.' I'd never seen that before. The runtime service account is the one the function runs as, and Cloud Build needs to impersonate it to deploy. I had granted roles/cloudfunctions.developer to the Cloud Build SA, but missed roles/iam.serviceAccountUser.
After granting that role, the deployment completed in under two minutes. But I also had to ensure the Pub/Sub topic 'orders' existed in europe-west1 — it was only in us-central1. I created a new topic in europe-west1 and updated the function trigger. The lesson: region consistency across all resources (function name, trigger, runtime SA) is critical, and Cloud Build permissions are often the silent killer.
Root cause
Function name conflict across regions and missing iam.serviceAccountUser role for Cloud Build service account.
The fix
Deleted the old function (after migration), granted roles/iam.serviceAccountUser to Cloud Build SA, and created trigger resource in the target region.
The lesson
Always check if a function name exists in any region before deploying, and ensure Cloud Build SA has both roles/cloudfunctions.developer and roles/iam.serviceAccountUser on the runtime SA.
Cloud Functions enforce a unique function name per project across all regions. If you deploy a function named 'my-func' in us-central1, you cannot deploy another 'my-func' in europe-west1 unless you delete the first one. This is because the function's fully qualified resource name (projects/{project}/locations/{region}/functions/{function}) must be globally unique. The error message "The provided region does not match the region of the existing resource" is misleading — it doesn't tell you that the existing resource is in a different region.
To avoid this, either delete the old function (if safe) or use a different function name for the new region. If you must keep both, consider using a suffix like '-us' and '-eu'. Also, trigger resources (like Pub/Sub topics, buckets) must be in the same region as the function. If you move a function to a new region, you need to create new trigger resources or use cross-region triggers (which incur latency and cost).
When you deploy a Cloud Function using gcloud or Cloud Build, the Cloud Build service account (PROJECT_NUMBER@cloudbuild.gserviceaccount.com) performs the deployment. It needs two key IAM roles on the project: roles/cloudfunctions.developer (to create/update functions) and roles/iam.serviceAccountUser on the function's runtime service account (to impersonate it during deployment). The runtime service account is either the default compute engine SA or a custom one you specify with --service-account.
Missing roles/iam.serviceAccountUser is a common cause of deployment hangs. The error appears in Cloud Build logs as: "The Cloud Build service account does not have permission to access the function service account." To fix, run: `gcloud projects add-iam-policy-binding PROJECT_ID --member='serviceAccount:PROJECT_NUMBER@cloudbuild.gserviceaccount.com' --role='roles/iam.serviceAccountUser' --condition=None`. You may also need to grant it on the specific runtime SA if it's a custom one: `gcloud iam service-accounts add-iam-policy-binding RUNTIME_SA_EMAIL --member='serviceAccount:CLOUD_BUILD_SA_EMAIL' --role='roles/iam.serviceAccountUser'`.
A deployment that hangs for more than a few minutes usually indicates a permission issue or a build error that isn't surfaced properly. The first step is to look at Cloud Build logs. Run `gcloud builds list --filter="images:FUNCTION_NAME" --limit=1 --format="value(id)"` to get the build ID, then `gcloud builds log BUILD_ID`. Look for lines with 'ERROR' or 'FAILED'. If you see HTTP 400, it often means a validation error in the function configuration (e.g., invalid YAML, wrong runtime, or missing entry point).
Another cause of HTTP 400 is using gen2 Cloud Functions (Cloud Run under the hood) with a gen1 trigger. If you specify --trigger-topic with gen2, you might get a 400 error because gen2 doesn't support Pub/Sub topics directly. Use --no-gen2 to force gen1, or use --trigger-event-filters for gen2. Also, check that the function's memory and timeout are within limits (e.g., max 9 minutes for gen1, 60 minutes for gen2).
If your Cloud Function uses a VPC connector, the connector must be in the same region as the function. Otherwise, deployment fails with an error like 'The VPC connector is in a different region'. This is a common mistake when moving functions between regions. You must either create a new VPC connector in the target region or use a serverless VPC access connector that supports cross-region (but that's more complex).
To check the connector's region: `gcloud compute networks vpc-access connectors describe CONNECTOR_NAME --region REGION --format='value(region)'`. If it's different, you'll need to create a new connector in the correct region and update the function's --vpc-connector flag. Note that deleting a VPC connector can take up to 10 minutes, so plan accordingly.
In CI/CD pipelines, it's easy to accidentally override the region with a default value. For example, if your cloudbuild.yaml has `--region=us-central1` hardcoded, but your trigger is set to deploy to europe-west1, the deployment will fail with a region mismatch. Always parameterize the region using substitution variables like `$_REGION` and pass the correct value from the trigger.
Another pitfall is environment variables that differ between deployments. If you change an environment variable that is not allowed to be updated (like the runtime or entry point), the deployment may try to create a new function instead of updating, leading to a region conflict. To avoid this, use `gcloud functions deploy --update-env-vars` for safe updates, and never change the function's runtime after initial deployment — you must delete and recreate.
Frequently asked questions
Why does my Cloud Function deployment fail with 'The provided region does not match the region of the existing resource' even though I never deployed before?
This error can occur if you have previously deployed a function with the same name in a different region, even if you deleted it. GCP retains the function name for a period (usually 7 days) after deletion. To resolve, either wait for the name to be released, or use a different function name. You can check existing functions with `gcloud functions list --filter="name=YOUR_FUNCTION_NAME"`.
How do I find the Cloud Build service account email for my project?
Run `gcloud projects describe PROJECT_ID --format='value(projectNumber)'` to get the project number, then the service account is `PROJECT_NUMBER@cloudbuild.gserviceaccount.com`. Alternatively, check the Cloud Build settings page in the GCP console under 'Service account'.
Can I deploy a Cloud Function to a region that doesn't have the trigger resource?
No, the trigger resource (e.g., Pub/Sub topic, Cloud Storage bucket) must be in the same region as the function. If you need to use a cross-region trigger, consider using HTTP triggers or Cloud Tasks. For Pub/Sub, you can use a cross-region subscription, but the topic must be in the same region as the function.
What is the difference between gen1 and gen2 Cloud Functions, and how does it affect deployment?
Gen1 uses Cloud Functions infrastructure, while gen2 runs on Cloud Run. Gen2 supports longer timeouts (up to 60 min), larger memory, and concurrency. Deployment errors can occur if you mix gen2 with gen1-only triggers (e.g., Pub/Sub via --trigger-topic). Use --no-gen2 to force gen1, or use --trigger-event-filters for gen2. Also, gen2 requires the Cloud Run API to be enabled.
My deployment succeeds but the function stays in 'DEPLOYING' state. What's wrong?
This usually indicates a permissions issue with the runtime service account. Check Cloud Build logs for errors like 'Permission denied' or 'The Cloud Build service account does not have permission to access the function service account'. Grant roles/iam.serviceAccountUser to the Cloud Build SA on the runtime SA. Also, ensure the function's service account has necessary permissions to access other GCP services (e.g., Pub/Sub, Firestore).