Menu
I'm trying to use file.getSignedUrl() to get the download URL from Firebase Storage via Google Cloud Functions (Nodejs). I'm getting this error in the Cloud Functions console:
{ SigningError: A Forbidden error was returned while attempting to retrieve an access token for the Compute Engine built-in service account. This may be because the Compute Engine instance does not have the correct permission scopes specified. Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/myapp-cd94d/serviceAccounts/[email protected].
at SigningError (/user_code/node_modules/@google-cloud/storage/build/src/file.js:58:9)
at authClient.sign.then.catch.err (/user_code/node_modules/@google-cloud/storage/build/src/file.js:1019:22)
at process._tickDomainCallback (internal/process/next_tick.js:135:7) name: 'SigningError' }
I copied the code from the Add the Firebase Admin SDK to Your Server documentation. I have my serviceAccountKey.json in my functions folder. firebase deploy isn't given me the error
Error parsing triggers: Cannot find module 'serviceAccountKey.json'
so I must have the right path to my serviceAccountKey.json. I even generated a new private key, that didn't fix the problem. I have firebase-admin 6.1.0 and firebase-tools 6.1.0. Here's the relevant parts of my code:
const admin = require('firebase-admin');
var serviceAccount = require("./myapp-cd94d-firebase-adminsdk-1234x-sEcReT.json");
admin.initializeApp({
credential: admin.credential.cert(serviceAccount),
databaseURL: "https://myapp-cd94d.firebaseio.com"
});
...
const config = {
action: 'read',
expires: '03-17-2025'
};
file.getSignedUrl(config).then(function(data) {
const url = data[0];
console.log(url);
})
.catch(function(error) {
console.error(error);
})
I saw that Doug Stevenson's answer has different code but it appears to be equivalent to the code in the documentation.
252
The answer has to do with Cloud Identity and Access Management. First, go to your Google Cloud Platform IAM & admin page. You'll see various service accounts. Look for the service account that looks like [email protected]. It should say App Engine default service account in the Name column. (If an error message referenced a different service account, find that service account.)
In the Role column, you may or not see some roles. If you're getting a SigningError message, the Role column is missing the role Service Account Token Creator. Check the checkbox to the left of [email protected] to select the service account, and then click the pencil to the right to edit it. In the next screen, click +ADD ANOTHER ROLE. Scroll down to Service Accounts, select Service Account Token Creator, and save. Now you should see Service Account Token Creator in the Roles column for App Engine default service account. Now you have permission to create signed tokens.
Next, repeat these steps and add a role for Storage Object Creator. This will allow you to run getSignedURL().
You could save alternatively assign Service Account Admin and Storage Admin, which include the Service Account Token Creator and Storage Object Creator roles respectively, plus other roles.
Now, if you instead got a SingingError message, it might be because you're warbling Bruce Springsteen's "Glory Days" out of tune. :-)
141
In my case I had enable Identity and Access Management (IAM), the url is the following one:
https://console.developers.google.com/apis/api/iam.googleapis.com/overview?project="YOUR PROJECT NAME"
5
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
