I have a Firebase project with over 10 cloud functions. Today I added 3 more, but all three of the new ones are throwing an error UNAUTHENTICATED without actually trying to hit the function. (There's no record of a function call in the logs). I haven't made any changes to my environment or Firebase project since adding the previous functions.
I have tried redeploying all of the functions in my project, the three newest ones continue to fail while the previous ones work fine. I have also verified that I am using Node 8, since there are some similar issues reported stemming from using Node 10. I am not sure what else to try since the issue only applies to the new functions.
The new functions all have a similar signature:
exports.createGroup = functions.https.onCall((data, context) => {
//Firestore access
});
They are being called like this:
const create = functions().httpsCallable('createGroup');
return create({ group: oGroup }).then(result => {
//Do something
}).catch(err => {
console.log(err.message); //UNAUTHENTICATED
});
Node Version: 8.16.2
Firebase Tools Version: 7.6.1
2023 UPDATE
1. Go to the Google Cloud Console:
2. Click the checkbox next to the function to which you want to grant
access.
3. Click Permissions at the top of the screen. The Permissions panel
opens.
4. Click Add principal.
5. In the New principals field, type allUsers
6. Select the role Cloud Functions > Cloud Functions Invoker from the
Select a role drop-down menu.
7. Click Save.
It must be solved at your GCP Console (not Firebase). Just follow these steps:
Go to your GCP Console and login
On the top menu, select the corresponding Firebase project
On the left menu go to Cloud Functions Click the checkbox of your function (not the name of the function)
Once selected, on the right menu select "Add member"
On "New member" type allUsers
On the Select function bar, select Cloud Functions -> Cloud functions invoker
Click on "Save" and then "Allow public access" on the pop-up warning
And you're good to go!
Via Google Cloud docs:
As of January 15, 2020, HTTP functions require authentication by
default. You can specify whether a function allows unauthenticated
invocation at or after deployment.
The solution was to utilize the Google Cloud console (NOT the Firebase console) to add the allUsers permission to the newly created functions.
https://cloud.google.com/functions/docs/securing/managing-access-iam#allowing_unauthenticated_function_invocation
I ran into this error when deploying several functions and there was an issue during the upload where it seems the deployment got corrupted .. perhaps network related, not sure
After deleting the offending cloud functions in the Firebase console, and then doing a fresh successful deploy for them, the "FirebaseFunctionsException UNAUTHENTICATED" error went away
First I tried to just redeploy the functions, but that was not enough, the error continued this way
From the documentation for 2nd gen Cloud Functions:
Go to the Google Cloud console
Click the linked name of the function to which you want to grant access.
Click the Powered By Cloud Run link in the top right corner of the Function details overview page.
Click Trigger and select Allow unauthenticated invocations.
Click Save.
Took me forever to find this after trying to add allUsers and getting "Principals of type allUsers and allAuthenticatedUsers cannot be added to this resource".
Related
Yesterday, on a beautiful Saturday, I was resting. When suddenly the phone rings and the "system has stopped working".
When I observed the "cloud functions" one of them had an upload that I did not do, probably another member of the team.
After all, I was resting!
Now, my manager wants the deployment history for all functions.
How to know and where to get this information?
Entering the "cloud function" I can even see that there was the deploy, but it does not say "which user did it".
There are audit logs kept for all user actions. You can determine who updated the function by:
Go to Logging > Logs Explorer
In the Query Builder text box, add the following search term:
protoPayload.methodName="google.cloud.functions.v1.CloudFunctionsService.UpdateFunction"
Click the Run Query button and then filter down by the date and time of when it was deployed and you'll see the user's email in the principal_email property.
#Brian's answer is good. But here's another way to check Audit logs and see all operations happening on Cloud Functions:
Go to Navigation Menu > Home > Activity
Go to Filter Categories on the right part of the screen and make sure all Activity types are selected (checking only Data Access and configuration works fine as well).
Click Resource type and uncheck all but don't click OK yet.
Type to filter "Cloud Function" then check it.
Click OK.
In logs for the functions you have the information about deployment it should look something like that:
{"#type":"type.googleapis.com/google.cloud.audit.AuditLog","status":{},"authenticationInfo":{"principalEmail":"EMAIL#gmail.com"},"serviceName":"cloudfunctions.googleapis.com","methodName":"google.cloud.functions.v1.CloudFunctionsService.UpdateFunction","resourceName":"projects/ffunctions-nodejs/locations/us-central1/functions/CRON_1440_OptimisationCall"}
I would start with reviewing this information (it is on the Console -> Project -> Functions -> logs)
Down the rabbit hole, we can go into console.cloud.google.com (Console -> Project -> Functions -> click on the three dots and go "Detailed usage statistics").
not really sure what you can dig in there though
Go to the Logs explorer and paste the below to find the updaed users of the cloud function.
resource.type = "cloud_function"
resource.labels.function_name = "your_cloud_function_name"
protoPayload.methodName="google.cloud.functions.v1.CloudFunctionsService.UpdateFunction"
Hope this helps!!
I have a function that is fired on a onUpdate trigger from my cloud firestore database.
The function not being called at all when I change my database.
I did not deploy the function using firestore CLI, instead I deployed it using the GCP Console.
Here is the function:
exports.NotificationListener = functions
.firestore
.document('users/{userId}')
.onUpdate((change, context) => {
const userId = context.params.userId.toString();
const eventId = context.eventId;
console.log('EventId:' + eventId);
console.log('Change in:' + userId);
return 200;
});
Here is the deployment information from the GCP console (showing the trigger):
Finally, here is the Cloud Firestore schema:
I want to monitor any changes to any "USER" in the collection: "/user", hence I am using "user/{userId}".
Why is this function not being called when I change the database ?
EDIT 1
A little information about my environment:
I have my entire project core in a TypeScript file. I have over 40 HTTPS triggered functions that are currently online.
I add a new function in my TS file, then I do a npm run build to compile and get the JS file.
Finally, I go to Google Cloud Console and create a function and choose "Zip Upload" and upload the compiled JS file (obviously, along with the required JSON files for getting Database URL, Authentication etc.)
This approach works perfectly fine, at least for HTTP triggered firestore functions.
Now I repeated the same steps as above for the onUpdate trigger and just instead of choosing HTTP trigger, I chose Cloud Firestore trigger. The trigger information can be found above in the screenshot.
onUpdate is not being fired on DB changes.
EDIT 2
My event trigger function NotificationListener is showing up in the firebase console functions list along with my other 40 HTTPS functions. But it is not being called.
#doug-stevenson, your answer seems to have disappeared, I am not sure why.
Anyway, I found the reason why it wasn't working.
My firebase database was in project "Placeholder 1" and my GCP functions were in project "Placeholder 2".
Now, I was able to update the "Placeholder 1" DB from GCP functions (in "Placeholder 2") using firabse-functions API because I set the DatabaseURL to "Placeholder 1".
But, just setting the DatabaseURL to the desired database doesn't work if you want to LISTEN to the database for changes. You actually need to have the function in the same project otherwise it is not able to subscribe and listen for events.
I think it's a little inconsistent that you can read/write to a DB from different projects, but to listen for events, function needs to be in same project.
Or maybe I am missing something fundamental that caused this confusion for me.
I have problem when invoking deployed function in firebase. I have an editor role in the firebase project and when I deployed functions, didn't have any problem with invoking them. When I deployed a new function yesterday, I got the error message that says
Error: Forbidden
Your client does not have permission to get URL / < Function Name > from this server.
Nothing has been changed to my role. It is strange that since yesterday, whatever function I deployed, threw those errors.
In gcp console/cloud functions, where you can see permissions of the function that was selected, I've noticed that "cloud functions invoker" was not assigned to that function. I thought this should be added to any function by default as long as I have an editor access but strangely it does not add them anymore. other functions that were deployed since yesterday have the same issue
any suggestions or advices will be appreciated. Thank you
Please Review Allowing unauthenticated function invocation
As of January 15, 2020, HTTP functions require authentication by default. You can specify whether a function allows unauthenticated invocation at or after deployment.
So here's the answer from the firebase team
The issue you are experiencing is likely caused by the fact that after January 15, 2020, Google Cloud Functions automatically creates HTTP functions to be >private by default.
Please, update the CLI, by running the following command:
npm install -g firebase-tools
This will ensure that future HTTP functions that are created will be publicly accessible.
Lastly, for the existing functions that has the permission issues, you will need >to manually set a function to public using Cloud Console or gcloud CLI.
If you have any questions or you are still facing this issue, please, don’t >hesitate to write back.
edited*
There could be several reasons to cause this issue.
check your function endpoint url make sure there's no typo or space
In the gcp console, make sure you have permission to invoke function https://console.cloud.google.com/functions/list?project=<YOUR_PROJECT_ID>
If the above two are checked, delete your function and redeploy your them again
Unfortunately, you can't do this in Firebase, you have to go into the Google Cloud project which 'hosts' your firebase project. You can follow this guide by Google, and have a look at the screenshots below:
You should see Allow unauthenticated now
To allow unauthenticated invocation of a function, you add the special allUsers member id to the function and grant it the Cloud Functions Invoker role:
You can limit domain access in your function, for example:
exports.myTest= async(req, res) => {
res.set('Access-Control-Allow-Origin', 'foo.com');
...etc
I defined my Firebase cloud functions in typescript/JS and deploy using Firebase CLI. I got this error after customizing the deployment settings, and I fixed it by specifying invoker="public" - I did not need to dig into IAM settings or use the console or CLI to fix.
export const serve = functions
.region("us-west2")
.runWith({
invoker: "public", // this is the magic line
})
.https.onRequest(
async (request: functions.Request, response: functions.Response) => {
// ...
})
updating firebase-tools wasn't enough in my case because i already deployed that function and updating it didn't fix the issue, i had to delete it and deploy again
I'm sure these are common scenarios, but after researching some hours, I couldn't really find what the common practice is. Maybe someone with more experience in Firebase can point me to the right direction.
I have two particular scenarios:
1. Code that runs once
Example 1: adding new data to all users in firestore, which is needed for a new feature
Example 2: start duplicating data into existing documents
I currently write the code in a cloud function, and run it on a firestore event (onUpdate of a "hidden" document) and then I immediately delete the function if everything goes well.
I also increase the timeout and memory for this function, as the idea is to potentially update millions of documents.
2. Manually trigger a function from the firebase console (or command line)
Example: Give a user admin privileges in the app (function that sets custom claims and firestore data). We don't have time to implement a back-office, so doing this from the firebase web portal/console would be ideal, specifying the user id.
My current solution is to use a https function, and run it from the GCP portal (on the function's "Testing" tab, being able to pass a json). BUT the function can be triggered publicly, which I don't really like...
What are the common practices for these scenarios?
To expand on my comment: if you want to create a node script to run one-off code, you just write your JS code like for any cloud function but simply run it immediately. Something like this.
const admin = require('firebase-admin');
admin.initializeApp();
const db = admin.firestore();
db.collection('users')
.where('myField', '==', true)
.get()
.then(querySnapshot => {
querySnapshot.docs.forEach(doc => {
// update doc
});
});
If you save this as script.js and execute it with node script.js you’ll be pointed towards downloading a JSON file with credentials. Follow the instructions and you can then run the script again and now you’re running your own code on Firestore, from the command line.
For administrative type operations, you're better off just running them on your desktop or some other server you control. Cloud Functions is not well suited for long running operations, or things that must just happen once on demand.
Case 1 really should be managed by a standalone program or script that you can monitor by running it on your desktop.
Case 2 can be done a number of ways, such as building your own admin web site. But you might find it easiest to mirror the contents of a document to custom claims using a Firestore trigger. Read this: https://medium.com/firebase-developers/patterns-for-security-with-firebase-supercharged-custom-claims-with-firestore-and-cloud-functions-bb8f46b24e11
Does anyone know if there is an easy way to trigger a function everytime i re-deploy some funciont to firebase?
I have an specific firabase functions which i define inside GCP (this way when i do "firebase deploy" it doesnt re-deploy, unnisntal or touch in any form my current function)
but sometimes i might update this function manually on GCP and i would like to trigger a inner function of its code everytime it happens... is it possible?
ex:
exports.decrementAction = (req, res) => {/*do stuff*/res.status(200).send("ok")};
function auxiliary(){
//to be called on re-deploy
}
Unfortunately, there isn't an easy way for you to trigger a function within a code that is being redeployed. Since this code is only being deployed at the moment, this wouldn't be possible to be done automatically.
The alternative would be to have this function separately from the "root" function in the moment of deploying and use triggers to run this other Cloud Function, when the first is redeployed. This way, it would be possible to run it based in the deployment of the other.
You can get more information on the triggers available for Cloud Functions here: Calling Cloud Functions. With them, you should be able to configure the timing for the execution.
Besides that, it might be worth it to raise a Feature Request for Google's to verify the possibility of adding this in future releases.
Let me know if the information clarified!
I think there exists a manner.
With Pub/Sub you can catch logs from Stackdriver (docs). Those services allow you to store only the logs related to the deployment of a Cloud Function.
The store could be, for instance, Cloud Firestore. As you should know, there is available a trigger for Cloud Firestore events.
Finally, every time an event log related to a function's deployment is generated, it will be stored and triggers a function attached to that event. In the function, you can parse or filter the logs.