-
Notifications
You must be signed in to change notification settings - Fork 201
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cloud function error: PERMISSION_DENIED: Missing or insufficient permissions #1425
Comments
I am experiencing a very similar issue with a v1 function that uses an onCreate Firebase Auth trigger and tries to access Firestore. As a weird thing, it looks like despite it being a v1 function and what the docs say, firebase deploy does not set PROJECT_ID@appspot.gserviceaccount.com as permission but uses PROJECT_ID-compute@developer.gserviceaccount.com. I don't know yet if that's the cause. |
Using the default service account is not working but creating one, giving Cloud datastore user role, and associating this service account to the function fixes the issue. What is weird is that I didn't touch permissions for the default service account so that's strange that some actions started to fail suddenly. |
Something similar happened to me as well where I started losing permission access to my functions. I know that v1 functions use the App Engine default service account, and v2 functions use the Compute Engine service account, and it does seem like their wires got crossed somewhere lately and I started assigning function permissions to both just to be safe. I did notice that a few weeks ago when I would few my v2 function on the Cloud Functions dashboard, it would show the same function endpoint as on the Cloud Run dashboard (e.g. |
We are having a similar issue. We have a utility trigger that injects a timestamp value when a document is created or updated for auditing (very similar to OP). The only thing the trigger does is add/edit a value with a ISO date string. The code works on gen 1 with the only change being changing to use gen 2. The error in full:
We are using node 18 and keep all our dependencies up to date. |
Same issue here, but with firestore. Any news? |
@taeold ? |
Same issue here, but with firebase-admin |
Hi folks. This issue seems to me like an issue with the default service accounts associated with the function. Usually, these service accounts are granted Editor role which grants wide-array of permissions like ability to read/write to Firestore. However, there are organizational/security policies that prevents automatically grants the default service account the Editor role: You can always manually grant the Editor role to your default service account via by visiting GCP IAM page:
Can someone confirm if the organizational policy could be at fault here? |
Hey @kevinnammour. We need more information to resolve this issue but there hasn't been an update in 7 weekdays. I'm marking the issue as stale and if there are no new updates in the next 3 days I will close it automatically. If you have more information that will help us get to the bottom of this, just add a comment! |
@taeold No, still fails after manually editing the service account. |
Hey @kevinnammour. We need more information to resolve this issue but there hasn't been an update in 7 weekdays. I'm marking the issue as stale and if there are no new updates in the next 3 days I will close it automatically. If you have more information that will help us get to the bottom of this, just add a comment! |
@google-oss-bot @taeold what information do you need? This is getting ridiculous. |
Hello, could you solve the issue? |
no |
@taeold what information do you need? This is ridiculous. |
Same here - Google Firestore no longer accessible from my nodeJS server application. From a perfectly working code, all I did was updating my packages. I am using the following dependencies:
Any trial to access (read/write/update) a firestore collection results in this error message:
Even if I give full access in the Firestore RULES !!!!! What is going wrong here ??? |
@Blunderchips Screenshot you shared doesn't give me any additional information about your setul @iKK001 FWIW, security rules are not enforced when you access the database via the Admin SDK. I recommend folks experiencing the issue to open up a Firebase Support case so we can take a look at your project on a case-by-case basis. If I notice any general trends, I'll share them here, but it's unclear to me whether there is a bug in the Functions SDK that's affecting everyone. |
@taeold what information do you need? |
From my side, I can give "much lower sound" to the warning: i.e. I did a mistake calling the wrong environment-variable. Running locally, I do the following steps and it works now: Step1: Step2: Step3: Step4:
(i.e. the 3 environment variables Remark1: I do not use the possibility explained in the Firestore Project-Settings/Service-accounts
I do not use the above code. It would work locally, no problem. But I prefer the above version since I do not want to push the json-file to the repo later on. I want to do it with envrionment variables. Remark2: if you use the environment-variable case (first code-sample shown above), then make sure to format the environment variables correctly !!! The envrionment variables look something like this:
Again, you can find those values inside the downloaded However, and this was my mistake, running this locally, next to the required env-vars just created inside the .env file), YOU ABSOLUTELY NEED TO EXECUTE THE FOLLOWING Step5:
(or whatever name you gave your file) The It works now with this knowlege, hopefully also for everybody reading this. P.S.
|
We have tried this in the past to no success. Then "Running locally" does not resolve any issues, our code works perfectly fine locally. Everything works fine deployed to functions gen1 but fails on functions gen2, the only changes being those needed for migrating to gen2. |
Firebase support team seems to be maintaining that there is no issue. |
I'm unable to reproduce this issue with V1 or V2 functions. @kevinnammour is this still something you can reproduce? V1 functionexport const setTimestampsOnCreateV1 = firebase.firestore.document("listings/{listingId}").onCreate((snapshot) => {
const currentTime = admin.firestore.FieldValue.serverTimestamp();
if (!snapshot || !snapshot.exists) {
logger.info("No snapshot found, exiting");
return;
}
return snapshot.ref.set(
{
createdAt: currentTime,
updatedAt: currentTime,
},
{
merge: true,
}
);
}); V2 functionexport const setTimestampsOnCreateV2 = onDocumentCreated("listings/{listingId}", (event) => {
const currentTime = admin.firestore.FieldValue.serverTimestamp();
const snapshot = event.data;
if (!snapshot || !snapshot.exists) {
logger.info("No snapshot found, exiting");
return;
}
return snapshot.ref.set(
{
createdAt: currentTime,
updatedAt: currentTime,
},
{
merge: true,
}
);
}); |
Yes @exaby73 this is still an issue. It seems to only be reproduceable in firebase projects created before a certain date. The issue seems to be with the service accounts that are being generated by firebase. |
Facing very much the same issue with a NextJS/React app. Key facts:
Initializing the app with the json file, or with the private key or with GOOGLE_APPLICATION_CREDENTIALS makes no difference. None of the methods from https://firebase.google.com/docs/auth/admin/create-custom-tokens seems to have worked. Per the guide:
Default Compute Engine service account Checking both service accounts, they have the Editor and Cloud Datastore User permissions. Any tips will be appreciated. |
Currently having the same issue as @gursesl with my .Net Core Firebase Admin SDK. Everything works fine (for authentication, messaging, etc) except when I try to access my firestore database then I get Just like @gursesl, any tips will be appreciated. |
Hey @kevinnammour. We need more information to resolve this issue but there hasn't been an update in 7 weekdays. I'm marking the issue as stale and if there are no new updates in the next 3 days I will close it automatically. If you have more information that will help us get to the bottom of this, just add a comment! |
Since there haven't been any recent updates here, I am going to close this issue. @kevinnammour if you're still experiencing this problem and want to continue the discussion just leave a comment here and we are happy to re-open this. |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as resolved.
This comment was marked as resolved.
still issue |
Hello! This works for me! Granted the |
If anyone still facing this issue, the first step is to ensure that you're logged in with the correct Firebase account using the Firebase CLI. |
Also worked for me!! Thanks |
This!! |
@lpellegr I get insufficient permissions with a version 1 functions call
in which I try to set up a user, account (and two more) documents. You say "[1]creating one [service account], [2]giving Cloud datastore user role, and [3]associating this service account to the function fixes the issue.", but I don't know how to do any of of those three things. Can you direct me to some documentation? Thanks. |
@lpellegr Never mind, I've decide to abandon this snake pit, and do the onCreate and onDelete procedures at the front end. As a general comment, I'm a bit surprised that there is such a snake pit! It's Firebase!! |
I was able to get this to work when deploying via a github action by manually specifying the compute engine service account within the gcloud cli command per these instructions. |
The permission recommendations suggest to remove the Editor role:
I applied the recommendation some time ago. Reverted it now. Functions work again. |
Amazing, mate! This worked for me! I had this issue with Cloud Run, and it seems the only fix is exactly what you mentioned—manually configuring the Compute Engine service account using the gcloud CLI command. After the frustration of trying the other solutions, I gave yours a shot, and voilà! Fixed! Thanks a ton! |
Took a minute or two after the change was saved, but granting the Editor role to my Compute service account in the IAM console also worked for me. |
Related issues
[REQUIRED] Version info
node: v18.16.0
firebase-functions: 4.3.1
firebase-tools: 12.4.0
firebase-admin: 11.8.0
[REQUIRED] Test case
I have successfully deployed a cloud function:
but it gives PERMISSION_DENIED when triggered.
[REQUIRED] Steps to reproduce
Then,
firebase deploy
.[REQUIRED] Expected behavior
createdAt and updatedAt appear in the new listing document.
[REQUIRED] Actual behavior
Nothing appears, and this appears in the Logs Explorer of that function:
Were you able to successfully deploy your functions?
Yes
The text was updated successfully, but these errors were encountered: