In firebase cloud function I am getting access denied on admin-firebase on read or write to realtime database. This https://github.com/firebase/firebase-functions/issues/16 does not solve my problem , App engine default service account rights are set to Editor.
I also have Node.js admin sdk configured with service Account Key and there everything works as expected.
I have set default security rules in db.
This is an example function
const functions = require('firebase-functions');
const admin = require('firebase-admin');
admin.initializeApp(functions.config().firebase);
admin.database.enableLogging(true);
//event fires properly
exports.sendNotif = functions.database.ref('/messages/{roomId}/{msgKey}')
.onWrite(event => {
const message = event.data.val().text;
//this executes as expected
console.log(message);
//here I am getting access denied and consequently function timeout after 60 seconds.
return admin.database().ref('/userFCMTokens').once('value')
.then(snap => console.log(snap.val()));
});
and here is log snippet from firebase realtime db
Realtime connection established.
2017-06-08T15:19:03.168Z I sendNotif: p:0: connection ready
2017-06-08T15:19:03.168Z I sendNotif: p:0: {"r":28,"a":"gauth","b":{"cred”:”********************”}}
2017-06-08T15:19:03.169Z I sendNotif: p:0: Listen on /userFCMTokens for default
2017-06-08T15:19:03.169Z I sendNotif: p:0: {"r":29,"a":"q","b":{"p":"/userFCMTokens","h":""}}
2017-06-08T15:19:03.538Z I sendNotif: p:0: from server: {"r":28,"b":{"s":"permission_denied","d":"Access denied."}}
2017-06-08T15:19:03.538Z I sendNotif: Auth token revoked: permission_denied/Access denied.
2017-06-08T15:19:03.538Z I sendNotif: c:0:13: Closing realtime connection.
2017-06-08T15:19:03.538Z I sendNotif: c:0:13: Shutting down all connections
2017-06-08T15:19:03.538Z I sendNotif: c:0:13:0 WebSocket is being closed
Here without logging on realtime db for brevity:
2017-06-08T15:26:23.164035495Z D sendNotif: Function execution started
2017-06-08T15:26:23.164076543Z D sendNotif: Billing account not configured. External network is not accessible and quotas are severely limited. Configure billing account to remove these restrictions
2017-06-08T15:26:23.539Z I sendNotif: message console logged
2017-06-08T15:27:23.165321703Z D sendNotif: Function execution took 60002 ms, finished with status: 'timeout'
Why I can’t read and write using admin in cloud functions?
Try checking permission for “App Engine default service account” on https://console.cloud.google.com/iam-admin/iam/project, and ensure that it says “Editor”.
Firebase/GCP circa mid-2022 has now clear information in the documentation:
Firebase Develop Admin Full read/write access to:
roles/firebase.developAdmin Google Analytics
Firebase App Check
...
Cloud Functions for Firebase
(deploying functions requires special configuration)
Firebase ML
The special configuration leads to the detail of roles to add to a plain Editor
: roles/cloudfunctions.admin
and roles/iam.serviceAccountUser
. Alternatives are also suggested, like delegating to an Owner
, but adding the roles is most likely minimal and more secure.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With