firebase-functions: cloud function error: PERMISSION_DENIED: Missing or insufficient permissions
Related issues
[REQUIRED] Version info
node: v18.16.0
firebase-functions: 4.3.1
firebase-tools: 12.4.0
firebase-admin: 11.8.0
[REQUIRED] Test case
I have successfully deployed a cloud function: but it gives PERMISSION_DENIED when triggered.
[REQUIRED] Steps to reproduce
import * as functions from "firebase-functions";
import * as admin from "firebase-admin";
admin.initializeApp();
export const setTimestampsOnCreate = functions.firestore
.document("listings/{listingId}")
.onCreate((snapshot) => {
const currentTime = admin.firestore.FieldValue.serverTimestamp();
return snapshot.ref.set(
{
createdAt: currentTime,
updatedAt: currentTime,
},
{
merge: true,
}
);
});
Then, firebase deploy
.
[REQUIRED] Expected behavior
createdAt and updatedAt appear in the new listing document.
[REQUIRED] Actual behavior
Nothing appears, and this appears in the Logs Explorer of that function:
{
"textPayload": "Error: 7 PERMISSION_DENIED: Missing or insufficient permissions.\n at callErrorFromStatus (/workspace/node_modules/@grpc/grpc-js/build/src/call.js:31:19)\n at Object.onReceiveStatus (/workspace/node_modules/@grpc/grpc-js/build/src/client.js:192:76)\n at Object.onReceiveStatus (/workspace/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:360:141)\n at Object.onReceiveStatus (/workspace/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:323:181)\n at /workspace/node_modules/@grpc/grpc-js/build/src/resolving-call.js:94:78\n at process.processTicksAndRejections (node:internal/process/task_queues:77:11)",
"insertId": "648c880e000cfb9650c27bb0",
"resource": {
"type": "cloud_function",
"labels": {
"region": "us-central1",
"function_name": "setTimestampsOnCreate",
"project_id": "dormati-b29a7"
}
},
"timestamp": "2023-06-16T16:04:30.850838Z",
"severity": "ERROR",
"labels": {
"execution_id": "o5u6vlzf6e9r",
"instance_id": "00c61b117c826b7c9fc18c8a07396f9e616a78e6c171e68f19f1883509553185306afbb9d971675d3d2c7342435e696a0c175110b72872058288"
},
"logName": "projects/dormati-b29a7/logs/cloudfunctions.googleapis.com%2Fcloud-functions",
"trace": "projects/dormati-b29a7/traces/3ad8e82b637efdf9568fc980600644e0",
"receiveTimestamp": "2023-06-16T16:04:31.075976411Z"
}
Were you able to successfully deploy your functions?
Yes
About this issue
- Original URL
- State: open
- Created a year ago
- Reactions: 4
- Comments: 36 (4 by maintainers)
Hi folks. This issue seems to me like an issue with the default service accounts associated with the function. Usually, these service accounts are granted Editor role which grants wide-array of permissions like ability to read/write to Firestore.
However, there are organizational/security policies that prevents automatically grants the default service account the Editor role:
https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#disable_service_account_default_grants
You can always manually grant the Editor role to your default service account via by visiting GCP IAM page:
{project-id}
@appspot.gserviceaccount.com{project-number}
-compute@developer.gserviceaccount.comCan someone confirm if the organizational policy could be at fault here?
Also worked for me!! Although I am using Gen1 I had to give to Compute Engine the Editor role
Thanks
@google-oss-bot @taeold what information do you need? This is getting ridiculous.
Same issue here, but with firebase-admin