Firebase-functions: allUsers > Cloud Functions Invoker not added to HTTP functions in Node 10 runtime
[REQUIRED] Version info
^3.0.2
node:
10
firebase-functions:
HTTP
firebase-tools:
7.4.0
[REQUIRED] Test case
Creating a new HTTP function from the cli by deploying code with firebase deploy --only functions creates a function which throws a 403 when called directly or CORS error when using firebase.functions().httpsCallable from the client
[REQUIRED] Steps to reproduce
As above
[REQUIRED] Expected behavior
The function should have 'allUsers > Cloud Functions Invoker' so it can be called from the client
[REQUIRED] Actual behavior
It doesn't have 'allUsers > Cloud Functions Invoker' and so throws a 403
Were you able to successfully deploy your functions?
Yes
timdiacon
All 5 comments
I found a few problems with this issue:
- I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
- This issue does not seem to follow the issue template. Make sure you provide all the required information.
google-oss-bot
on 28 Mar 2020
Hello, I've had the same problem today, and thought I'd chime in with my temp fix (Including issues template for clarification).
Related issues
None.
[REQUIRED] Version info
node: 10.13.0
firebase-functions: 3.0.2
firebase-tools: 7.6.1
firebase-admin: 8.8.0
[REQUIRED] Steps to reproduce
- Create a normal http cloud function. ('test')
- run cli _firebase deploy --only functions:test_
[REQUIRED] Expected behavior
For a newly deployed cloud function to have allUsers in the permissions by default.
[REQUIRED] Actual behavior
Cloud function has no Cloud Functions Invoker, meaning all access is denied.
Were you able to successfully deploy your functions?
Yes.
Temp fix:
In the cloud console functions page, select a function to show the info panel. In the permissions tab, select ADD MEMBER. In the new members field, type _allUsers_. In the roles drop down, select cloud functions, then cloud functions invoker, and save.
It actually sort of makes sense for a function to have restricted permissions when it's first created, however I'm used to the default permissions being present, so it's a bug (or new feature) that definitely threw me off. Of course this doesn't fix the underlying problem, but hope it helps.
RalphKemp
on 30 Mar 2020
You need to upgrade the CLI to >= 7.7.0, which is when we added the automatic IAM policy adjustment for newly created functions. Note that this only applies to new functions, so upgrading and redeploying won't fix already deployed functions. To fix existing functions you can use gcloud:
gcloud functions add-iam-policy-binding $FUNCTION_NAME \
--member='allUsers' \
--role='roles/cloudfunctions.invoker'
mbleigh
on 30 Mar 2020
@mbleigh Thanks for the info!
RalphKemp
on 30 Mar 2020
I'm still getting this issue:
firebase-functions: 3.6.2
firebase-tools: 8.4.1
firebase-admin: 8.12.1
I deleted my functions and then redeployed them and I am getting:
alexpchin
on 30 May 2020
Related issues
sokraflex
路
3Comments
joshdifabio
路
5Comments
soichisumi
路
6Comments
ChromeQ
路
4Comments
ahaverty
路
6Comments
Most helpful comment
I'm still getting this issue:
firebase-functions: 3.6.2
firebase-tools: 8.4.1
firebase-admin: 8.12.1
I deleted my functions and then redeployed them and I am getting: