Permission denied in firebase cloud functions

Question

In firebase cloud function I am getting access denied on admin-firebase on read or write to realtime database. This https://github.com/firebase/firebase-functions/issues/16 does not solve my problem , App engine default service account rights are set to Editor.

I also have Node.js admin sdk configured with service Account Key and there everything works as expected.

I have set default security rules in db.

This is an example function

const functions = require('firebase-functions');
const admin = require('firebase-admin');
admin.initializeApp(functions.config().firebase);
admin.database.enableLogging(true);

//event fires properly
exports.sendNotif = functions.database.ref('/messages/{roomId}/{msgKey}')
    .onWrite(event => {
        const message = event.data.val().text;
    //this executes as expected
        console.log(message);

//here I am getting access denied and consequently function timeout after 60 seconds.
        return admin.database().ref('/userFCMTokens').once('value')
            .then(snap => console.log(snap.val()));
    });

and here is log snippet from firebase realtime db

Realtime connection established.  
2017-06-08T15:19:03.168Z I sendNotif: p:0: connection ready  
2017-06-08T15:19:03.168Z I sendNotif: p:0: {"r":28,"a":"gauth","b":{"cred”:”********************”}}  
2017-06-08T15:19:03.169Z I sendNotif: p:0: Listen on /userFCMTokens for default  
2017-06-08T15:19:03.169Z I sendNotif: p:0: {"r":29,"a":"q","b":{"p":"/userFCMTokens","h":""}}  
2017-06-08T15:19:03.538Z I sendNotif: p:0: from server: {"r":28,"b":{"s":"permission_denied","d":"Access denied."}}  
2017-06-08T15:19:03.538Z I sendNotif: Auth token revoked: permission_denied/Access denied. 
2017-06-08T15:19:03.538Z I sendNotif: c:0:13: Closing realtime connection.  
2017-06-08T15:19:03.538Z I sendNotif: c:0:13: Shutting down all connections  
2017-06-08T15:19:03.538Z I sendNotif: c:0:13:0 WebSocket is being closed 

Here without logging on realtime db for brevity:

2017-06-08T15:26:23.164035495Z D sendNotif: Function execution started
2017-06-08T15:26:23.164076543Z D sendNotif: Billing account not configured. External network is not accessible and quotas are severely limited. Configure billing account to remove these restrictions
2017-06-08T15:26:23.539Z I sendNotif: message console logged
2017-06-08T15:27:23.165321703Z D sendNotif: Function execution took 60002 ms, finished with status: 'timeout'

Why I can’t read and write using admin in cloud functions?

Answer 1

Try checking permission for “App Engine default service account” on https://console.cloud.google.com/iam-admin/iam/project, and ensure that it says “Editor”.

Answer 2

Firebase/GCP circa mid-2022 has now clear information in the documentation:

Firebase Develop Admin         Full read/write access to:
roles/firebase.developAdmin    Google Analytics
                               Firebase App Check
                               ...
                               Cloud Functions for Firebase
                                  (deploying functions requires special configuration)
                               Firebase ML

The special configuration leads to the detail of roles to add to a plain Editor: roles/cloudfunctions.admin and roles/iam.serviceAccountUser. Alternatives are also suggested, like delegating to an Owner, but adding the roles is most likely minimal and more secure.