After implementing firebase function as below code, deploy failed.
generateDailyStat: functions.pubsub.schedule('every day 00:00').timeZone('Asia/Seoul').onRun(generateDailyStat),
Error messages are as below.
i functions: creating Node.js 8 function generateDailyStat(us-central1)...
i scheduler: ensuring necessary APIs are enabled...
i pubsub: ensuring necessary APIs are enabled...
✔ scheduler: all necessary APIs are enabled
✔ pubsub: all necessary APIs are enabled
Error: HTTP Error: 403, The principal (user or service account) lacks IAM permission "cloudscheduler.jobs.update" for the resource "projects/MY_PROJECT/locations/asia-northeast2/jobs/firebase-schedule-generateDailyStat-us-central1" (or the resource may not exist).
My account is 'owner' role, and I give owner role of cloudscheduler to firebase service account. But still failed.
What did I miss?
Searching about it, it seems that this error might be related to the fact that the permission cloudscheduler.jobs.update - as per the documentation Support level for permissions in custom roles - it's not supported for use yet, it's still in the Testing status, which means that some exceptions and errors are expected.
In another post on the community, a user informed that removing all the permissions and adding again, fixed the case "magically", so it might be an option for you to give a try. You can find more information on this solved case here:
The principal (user or service account) lacks IAM permission “cloudtasks.tasks.create” for the resource.
Let me know if the information clarified and helped you!
Related
when I try deploying my app this outputs:
Error: Your project quiz-byte must be on the Blaze (pay-as-you-go) plan to complete this command. Required API cloudbuild.googleapis.com can't be enabled until the upgrade is complete. To upgrade, visit the following URL:
I did verify my billing options, but they keep asking me to pay for their paid plan.
Am I supposed to wait some time or something?
I'm trying to deploy the default test function to check that everything works.
const functions = require("firebase-functions");
exports.helloWorld = functions.https.onRequest((request, response) => {
functions.logger.info("Hello logs!", {structuredData: true});
response.send("Hello from Firebase!");
});
But when I run firebase deploy or firebase deploy --only functions, I get the following error:
i artifactregistry: ensuring required API artifactregistry.googleapis.com is enabled...
! artifactregistry: missing required API artifactregistry.googleapis.com. Enabling now...
Error: HTTP Error: 403, Permission denied to enable service [artifactregistry.googleapis.com]
The owner has granted me Cloud Functions Admin, Firebase Admin and Service Account User roles, which is sufficient according to the Firebase Support representative.
I have tried logging in/out, reinstalling Firebase command line tools via npm install -g firebase-tools, rerunning firebase init.
But I still receive the same error.
Does anyone have any experience with this particular error?
I found a solution and I'm now able to deploy. Here's the answer that worked for me.
As I mentioned in my question, enabling Cloud Functions Admin, Firebase Admin and Service Account User roles did not fix the problem. So I asked the owner to give me the API Keys Admin role.
Also, I noticed the Artefact Registry API was not enabled at https://console.cloud.google.com/marketplace/product/google/artifactregistry.googleapis.com
Since the error was Permission denied to enable service [artifactregistry.googleapis.com], I asked the owner to enable it manually.
Doing these two things solved the problem, and I am now able to deploy cloud functions.
I had the same problem.
I had a pending payment of $2, I paid and solved the problem. I was able to update my function and deploy my function
Go to your https://console.cloud.google.com/iam-admin/ and in your project search for the github-action serviceaccount (github-action-xxxxxxxx#YOURPROJECT.iam.gserviceaccount.com?)
Then add the permission: Artifact Registry Admin.
I have been assigned Cloud Functions Admin role in the IAM permissions settings. I have created a cloud function callable by HTTP. When I make the request it throws
Error: Forbidden
Your client does not have permission to get URL /<function name> from this server.
Apparently I have to add the Cloud Functions Invoker role to be able to call cloud functions, but this seems unnecessary since I'm already a Cloud Functions Admin, whose permissions surely encompass any held within Cloud Functions Invoker.
Is this strange behavior correct or have I taken a wrong turn?
I have now added Owner role aswell as Cloud Functions Admin and it still throws the same 403.
I have updated my CLI using npm install -g firebase-tools - now on v11.8.0.
I have added allUsers principal to have Cloud Functions Invoker.
I have checked any errors logged in the console and gcf-artifacts has failed as the Artifact Registry API is not active. Please enable the API and try again. - however when I check if the Artifact Registry API is enabled, it is.
I am now attempting to enable unauthenticated HTTP function invocation using this article however I can't find the Configuration panel within the google cloud console.
If you are experiencing the same issue and have already completed all of my troubleshooting above, delete your cloud function and redeploy it.
It's that simple.
To deploy my Firebase project, I have setup a service account with the roles:
Cloud Functions Admin
Firebase Admin
Service Account User
It works fine with Hosting and Cloud Functions triggered by Firestore or HTTPS, but it fails with a function on schedule.
What additional role do I need?
Edit: the only related ouput messages are:
i functions: updating Node.js 14 function schedule-statistics(europe-west3)...
...
✔ functions[schedule-statistics(europe-west3)]: Successful update operation.
...
Functions deploy had errors with the following functions:
schedule-statistics(europe-west3)
Edit: additional test: when deploying using my logged-in CLI on my machine, I see this additional message, which is missing when deploying with the service account:
✔ functions[schedule-statistics(europe-west3)]: Successful upsert schedule operation.
Edit: by adding logs as suggested by #Dharmaraj, I can see the missing permissions:
The principal (user or service account) lacks IAM permission \"cloudscheduler.jobs.get\"
...
The principal (user or service account) lacks IAM permission \"cloudscheduler.jobs.update\"
So when adding the "Cloud Scheduler Admin", it works!
I was misled because I already set this role to the service account but within another project, and it does not propagate! Lesson learned at the expense of a nice afternoon.
The answer is: add role "Cloud Scheduler Admin".
The gotcha is: roles set to a service account in one project do not propagate to the same service account in other project.
The nice lesson is: add --debug to see additional logs, including missing permissions, thanks #Dharmaraj
We've switched from service account keys to serviceAccountIds (or tried to) so we can clean up all the rouge keys we have. After rolling out the change we're seeing:
Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/-/serviceAccounts/xxxx#xxx.iam.gserviceaccount.com.; Please refer to https://firebase.google.com/docs/auth/admin/create-custom-tokens for more details on how to use and troubleshoot this feature....}}
The thing is, we've definitely got the correct role applied (see attachment). We've even tried a few more for good measure.
Thanks!
There are two service accounts being used in this case:
The service account used to authorize RPC calls (in case of Cloud Functions, this is the App Engine default service account).
The service account you have specified as the serviceAccountId.
It seems IAM only works when BOTH service accounts have the signBlob permission. I have inquired the GCP/IAM team about this. In the meantime, here are couple of fixes you can try immediately:
Grant the token creator role to the App Engine default service
account of your project.
Once you do that, you don't have to
specify a serviceAccountId at all. The SDK will auto-discover that same
service account ID when running in Functions.