Despite of setting permission allUsers with invoke cloud function role I'm not able to trigger scheduled cloud function due to error "unauthenticated".
Region is the same, tried to redeploy function few times.
What I can check for this issue?
This is fresh project.
This scheduled function was created using firebase tools
Fixed. Somehow it started to work after couple of hours without any changes with default roles.
Related
I have an issue related to Firestore, Hosting, and Cloud functions. I deployed a Nextjs application using the just-released experimental web framework support. I'm using Nextjs's Image API, and as expected, the Firebase CLI creates a cloud function for the project. Everything works fine at the start, but when I try to open a page in the application that reads some data from Firestore, it redirects to an auth page, which is unexpected.
Even when I auth with my Google account (since that's the logged-in user to the application), it returns a forbidden error and logs me out.
When I go back and try again, it returns a different error (most likely because I was logged out automatically).
I tried doing some research, and some people suggested adding an allUsers principal permission to Cloud functions, but that didn't work (Error: Principals of type allUsers and allAuthenticatedUsers cannot be added to this resource), and that's even insecure permission. Only authenticated users should be able to read data from the page as already configured in my Firestore security rules. So it's unclear what I need to do since Firebase created the Cloud function automatically or if this is related to my security rules and cloud functions.
What could be wrong? Everything works fine in my existing deployment setup to Netlify (where Edge functions are created automatically using their Nextjs plugin). I'm only trying to test the new Firebase web framework hosting features. Please let me know if you'd need me to provide some more context or debug files to better help you help me.
Thank you!
The message “ App requesting permission to access your google account “ pops up if the function runs in any region other than us-central1.
Currently, Firebase Hosting does not support Cloud Functions in any other regions, Except us-central1.
You can refer to this StackOverflow thread.
I would like to ask for the help of people familiar with Firebase functions. I am struggling with the problem that uploading the code via firebase cli fails. It was working a few days ago, I didn't change anything in the world, I mean through the configuration. And it gets stuck at a part where not even a code change was made. I have had this problem ever since the client set the editor role to the owner role. But in theory this shouldn't be a problem.
firebase deploy --debug returns this:
{"error":{"code":403,"message":"Unable to retrieve the repository metadata for projects/{projectname}/locations/us-central1/repositories/gcf-artifacts. Ensure that the Cloud Functions service account has 'artifactregistry.repositories.list' and 'artifactregistry.repositories.get' permissions. You can add the permissions by granting the role 'roles/artifactregistry.reader'.","status":"PERMISSION_DENIED"}}
I set it up but it still doesn't work. Maybe in the wrong place or I don't know. I only encountered similar problems on the net, but none of them helped. I do not know what to do. Artifactregistry api is also enabled.
firebase functions:log :
2022-11-09T22:15:55.891760Z E friendRequestNotification: {"#type":"type.googleapis.com/google.cloud.audit.AuditLog","status":{"code":7,"message":"Unable to retrieve the repository metadata for projects/{projectname}/locations/us-central1/repositories/gcf-artifacts. Ensure that the Cloud Functions service account has 'artifactregistry.repositories.list' and 'artifactregistry.repositories.get' permissions. You can add the permissions by granting the role 'roles/artifactregistry.reader'."},"authenticationInfo":{"principalEmail":"{email}"},"requestMetadata":{"callerIp":"{ip}","callerSuppliedUserAgent":"FirebaseCLI/11.16.0,gzip(gfe),gzip(gfe)","requestAttributes":{"time":"2022-11-09T22:15:56.055987Z","auth":{}},"destinationAttributes":{}},"serviceName":"cloudfunctions.googleapis.com","methodName":"google.cloud.functions.v1.CloudFunctionsService.CreateFunction","authorizationInfo":[{"resource":"projects/{projectname}/locations/us-central1/functions/friendRequestNotification","permission":"cloudfunctions.functions.create","granted":true,"authorizationLoggingOptions":{"permissionType":"ADMIN_WRITE"},"resourceAttributes":{}}],"resourceName":"projects/{projectname}/locations/us-central1/functions/friendRequestNotification","request":{"function":{"sourceUploadUrl":"https://storage.googleapis.com/uploads-760418412171.us-central1.cloudfunctions.appspot.com/6d1f7217-7899-484f-911c-1dbcb4512d8d.zip?GoogleAccessId=service-{}#gcf-admin-robot.iam.gserviceaccount.com&Expires={}","labels":{"deployment-tool":"cli-firebase","firebase-functions-hash":"{hash}"},"runtime":"nodejs16","dockerRegistry":"ARTIFACT_REGISTRY","entryPoint":"friendRequestNotification","name":"projects/{projectname}/locations/us-central1/functions/friendRequestNotification","eventTrigger":{"eventType":"providers/cloud.firestore/eventTypes/document.create","resource":"projects/{projectname}/databases/(default)/documents/users/{userId}/friends/{friendId}"}},"location":"projects/{projectname}/locations/us-central1","#type":"type.googleapis.com/google.cloud.functions.v1.CreateFunctionRequest"},"resourceLocation":{"currentLocations":["us-central1"]}}
I have already tried all options within the Google cloud iam&admin settings, but nothing.
Well, I solved the issue by updating my credit card. Basically, billing was disabled because my credit card was expired and all the permissions were disabled.
Try to enable the created artifacts for your project on Google Cloud Console
https://console.cloud.google.com/artifacts
I have been assigned Cloud Functions Admin role in the IAM permissions settings. I have created a cloud function callable by HTTP. When I make the request it throws
Error: Forbidden
Your client does not have permission to get URL /<function name> from this server.
Apparently I have to add the Cloud Functions Invoker role to be able to call cloud functions, but this seems unnecessary since I'm already a Cloud Functions Admin, whose permissions surely encompass any held within Cloud Functions Invoker.
Is this strange behavior correct or have I taken a wrong turn?
I have now added Owner role aswell as Cloud Functions Admin and it still throws the same 403.
I have updated my CLI using npm install -g firebase-tools - now on v11.8.0.
I have added allUsers principal to have Cloud Functions Invoker.
I have checked any errors logged in the console and gcf-artifacts has failed as the Artifact Registry API is not active. Please enable the API and try again. - however when I check if the Artifact Registry API is enabled, it is.
I am now attempting to enable unauthenticated HTTP function invocation using this article however I can't find the Configuration panel within the google cloud console.
If you are experiencing the same issue and have already completed all of my troubleshooting above, delete your cloud function and redeploy it.
It's that simple.
I am new on firebase cloud functions. I would like to ask a question about always running or self-triggering functions. How can we handle these things? How can we implement always running functions or self-triggering?
Google Cloud Functions are snippets of code that run in response to events that happen somewhere else. Some example events:
a HTTPS URL is accessed, either from application code, or in some other way
a User account is created on Firebase Authentication
a node is written in the Firebase Realtime Database
a message is sent to a Cloud PubSub topic
There is no concept on a forever-running function on Cloud Functions (nor on other, similar Functions-as-a-Service offerings), although it's definitely possible to create a function that gets triggered every minute or so (like a cron job).
I just made a firebase cloud function :
exports.deleteAfterSevenDays = functions.https.onRequest((req, res) => {...
I deployed the function and got a function URL. When I request this url from my browser I get the following message :
"Error: Forbidden Your client does not have permission to get URL /200
from this server."
I have just updated to firebase Blaze plan because I thought there were limitations with Spark plan, but it still doesn't work.
In my firebase cloud function logs it is written "Function execution took 572 ms, finished with status code: 302".
My cron job "has been disabled automatically because of too many failed executions".
Do you see what's wrong?
Cloud function should have a role with member called "All users" to invoke this function from anywhere/anyone irrespective of an authorization.
Without Authorization:
Go to the cloud function tab
Select your cloud function (check box)
Click "Add members" under Permissions tab in the right side
Enter "allUsers" under "New memebers"
Select Role as "Cloud Functions -> Cloud Functions Invoker"
Save
Test your cloud function by just pasting it in the browser
With Authorization:
It's always a good practice to set authorization on your cloud functions
Note: Cloud functions throwing error with "403 Forbidden - Your client does not have permission to get URL" should be called by authorized users.
Simple test:
Click on Cloud shell(icon) terminal in the top
type - gcloud auth print-identity-token
copy the generated token
forming Authorization key to be passed while calling cloud function
4.1 Authorization: bearer generated_token
Use above Authorization key while calling your cloud function
Note:
Never make a cloud function available to allUsers
From Cloud Function docs:
Caution: New HTTP and HTTP callable functions deployed with any
Firebase CLI lower than version 7.7.0 are private by default and throw
HTTP 403 errors when invoked. Either explicitly make these functions
public, or update your Firebase CLI before you deploy any new
functions.
In my case the CLI version was out of date. If you currently get the 403 error, try this:
Delete your Cloud Functions
Update Firebase CLI npm install -g firebase-tools
Re-deploy your functions
To be clear:
Go to your function (make sure your project is selected):
https://console.cloud.google.com/functions/details/us-central1/ssr
Click Permissions Tab
Click Add Permissions
New Principals: allUsers
Role: Cloud Functions Invoker
Done.
J
Changing the IAM role(Cloud Functions Invoker) for targeted cloud function to allUsers should solve this issue. https://console.cloud.google.com/functions
If you face this in 2020 it might also be due to a different access behaviour:
Note: As of January 15, 2020, HTTP functions require authentication by
default. You can specify whether a function allows unauthenticated
invocation at or after deployment.
https://cloud.google.com/functions/docs/securing/managing-access-iam#allowing_unauthenticated_function_invocation
Here are the steps
Go the Google Cloud Console(Not Firebase Console) -> Search For Cloud Functions to see the list of functions
Click the checkbox next to the function to which you want to grant
access.
Click Permissions at the top of the screen. The Permissions panel
opens.
Click Add principal.
In the New principals field, type allUsers.
Select the role Cloud Functions > Cloud Functions Invoker from the
Select a role drop-down menu.
Click Save.
Enable access from Postman project:
Open https://console.cloud.google.com/functions
Open cloud shell (right top terminal icon)
Write: gcloud auth print-identity-token
Copy your token and open your Posman
Right click on your collection -> Edit
Authorization -> Choose type OAuth 2.0
Paste your token in the Access Token
Note: You can do the same for a single request or folder.
This might be far fetched but if you have interrupted a cloud function deployment, then redeployed the function (which lead to an error), and after that you redeployed the function successfully this could have caused the issue.
I am trying to reproduce, but simple deleting the function in the firebase console and redeploying worked for me.
it happens to me after i upgraded all NPM packages and then deployed...
i delete all the functions from the cloude and re-deplyed them. it solve me this error immediately. without change permisions or any other cahnge
I know this doesn't make sense, or not a real solution but I solved it by making my account an Owner of the Firebase project. It was working nice while I was Editor but stopped working suddenly and setting my account as Owner solved it for now.
I guess it has to do with certain account having proper access to the Service Account which is the actual interface with Firebase Functions and Google Cloud API.
In my case, I made error in Postman
when I typed Body of Request, I didn't switched format from Text to JSON.
Check that part.