Auth for GCP Function


Is it possible to setup RBAC to restrict access from a Google Cloud Function?

I give an identity to the Cloud Function, and I try to restrict that Service Account in the ServiceRoleBinding using

  - user: "serviceaccountemail"

Where “serviceaccountemail” is the SA email we set as identity for the CF.
With no luck. Is this doable? How should I achieve this?

I inspected incoming traffic from a GC Function, but cannot find any HTTP header I could use for this. So maybe there is a proper way to bind the GCP Service Account with istio auth.