Firebase-functions: [Error] Missing or insufficient permission & initializeApp()

Created on 1 May 2020  Â·  8Comments  Â·  Source: firebase/firebase-functions

Related issues

Extend with Functions

[REQUIRED] Version info

node: 8 & 10

firebase-functions: "^3.6.1"

firebase-tools: 8.2.0 (NPM)

firebase-admin: "^8.10.0"

[REQUIRED] Test case

I already checked in both of node version, 8 and 10.

[REQUIRED] Steps to reproduce


Set Firestore rules: Version 2

[REQUIRED] Expected behavior


Suddenly I got this Error.

[REQUIRED] Actual behavior

Top of the index.js

const functions = require('firebase-functions');

const admin = require('firebase-admin');
admin.initializeApp();

const db = admin.firestore();

Case 1

admin.auth().get...

Error fetching user data:  { Error: Credential implementation provided to initializeApp() via the "credential" property has insufficient permission to access the requested resource. See https://firebase.google.com/docs/admin/setup for details on how to authenticate this SDK with appropriate permissions.
    at FirebaseAuthError.FirebaseError [as constructor] (/srv/node_modules/firebase-admin/lib/utils/error.js:42:28)
    at FirebaseAuthError.PrefixedFirebaseError [as constructor] (/srv/node_modules/firebase-admin/lib/utils/error.js:88:28)
    at new FirebaseAuthError (/srv/node_modules/firebase-admin/lib/utils/error.js:147:16)
    at Function.FirebaseAuthError.fromServerError (/srv/node_modules/firebase-admin/lib/utils/error.js:186:16)
    at /srv/node_modules/firebase-admin/lib/auth/auth-api-request.js:1360:49
    at <anonymous>
    at process._tickDomainCallback (internal/process/next_tick.js:229:7)
  errorInfo: 
   { code: 'auth/insufficient-permission',
     message: 'Credential implementation provided to initializeApp() via the "credential" property has insufficient permission to access the requested resource. See https://firebase.google.com/docs/admin/setup for details on how to authenticate this SDK with appropriate permissions.' },
  codePrefix: 'auth' }

Case 2

Using Firestore

{ Error: 7 PERMISSION_DENIED: Missing or insufficient permissions.
    at Object.callErrorFromStatus (/srv/node_modules/@grpc/grpc-js/build/src/call.js:30:26)
    at Http2CallStream.call.on (/srv/node_modules/@grpc/grpc-js/build/src/client.js:96:33)
    at emitOne (events.js:121:20)
    at Http2CallStream.emit (events.js:211:7)
    at process.nextTick (/srv/node_modules/@grpc/grpc-js/build/src/call-stream.js:97:22)
    at _combinedTickCallback (internal/process/next_tick.js:132:7)
    at process._tickDomainCallback (internal/process/next_tick.js:219:9)
  code: 7,
  details: 'Missing or insufficient permissions.',
  metadata: Metadata { internalRepr: Map {}, options: {} },
  note: 'Exception occurred in retry method that was not classified as transient' }

Were you able to successfully deploy your functions?


Success

needs-triage
Source
picture YBHwang

Most helpful comment

Case 1

Problem caused by the added external dependency.

The package relies on request, but has been deprecated, which ultimately seems to affect the entire function. So after uninstalling the package in question and deleting the associated function, we redeployed the whole, not a single function distribution.

Finally, I solved the admin credential problem with initializeApp()

Case 2

Problem caused by the IAM role.

Cloud Functions use App Engine default service account
→ [PROJECT_ID].appspot.gserviceaccount.com

I'm not sure why this suddenly happened, but I resolved by granting the role of the Firebase Admin SDK admin service agent.

picture YBHwang on 4 May 2020
🎉4

All 8 comments

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

google-oss-bot picture google-oss-bot on 1 May 2020

Hi YBHwang, without more detailed information it's hard to tell exactly what the cause of this could be.

You say you were able to successfully deploy your functions, so is this occurring only when you emulate the functions?

What are your Firestore rules currently?

Some documents that could be helpful potentially:
https://firebase.google.com/docs/admin/setup#add-sdk
https://firebase.google.com/docs/functions/local-emulator#set_up_admin_credentials_optional

tinaliang picture tinaliang on 1 May 2020

Case 1

Problem caused by the added external dependency.

The package relies on request, but has been deprecated, which ultimately seems to affect the entire function. So after uninstalling the package in question and deleting the associated function, we redeployed the whole, not a single function distribution.

Finally, I solved the admin credential problem with initializeApp()

Case 2

Problem caused by the IAM role.

Cloud Functions use App Engine default service account
→ [PROJECT_ID].appspot.gserviceaccount.com

I'm not sure why this suddenly happened, but I resolved by granting the role of the Firebase Admin SDK admin service agent.

YBHwang picture YBHwang on 4 May 2020
🎉4

I was able to solve this following @YBHwang 's Case 2 instructions. I'm also intrigued about this suddenly happening, this problem emerged once I was deploying a mirror instance of a running and working app. That app doesn't have the Firebase Admin SDK admin service agentrole assigned to [PROJECT_ID].appspot.gserviceaccount.com

andresgottlieb picture andresgottlieb on 26 May 2020

Thanks for the updates! Closing since it sounds like this issue is resolved.

laurenzlong picture laurenzlong on 28 May 2020

I have CASE 2 as well.

Somehow my cloud functions, even though I did:

admin.initializeApp()

were using the [email protected] (App Engine default) Service Account instead of the Firebase Admin Service Account...

Here you can see that my Firebase Admin Service Role is never used:

Screenshot 2020-07-19 00 18 22

Attempted solution 1

I added the Firebase Admin SDK role to the [email protected] Service Role, but I still get permission errors, even with this:

Screenshot 2020-07-19 00 19 38

Solution attempt 2

I tried the thing with the export GOOGLE_APPLICATION_CREDENTIALS and the settings like so:

admin.initializeApp({
  credential: admin.credential.applicationDefault(),
  databaseURL: 'https://colorfulcasting-22977.firebaseio.com',
})

but still uses the App Engine default Service Account....

mesqueeb picture mesqueeb on 18 Jul 2020

Working Solution:

I added these roles to the App Engine default service account:

  • Firebase Admin SDK Administrator Service Agent
  • Service Account Token Creator

Then it worked.

Is this dangerous though?

mesqueeb picture mesqueeb on 18 Jul 2020

@mesqueeb By default, all functions run with the identity of the App Engine default service account. If you would like to change this behavior to use a different service account, you can do so by following these instructions: https://cloud.google.com/functions/docs/securing/function-identity#deploying_a_new_function_with_a_non-default_identity .

laurenzlong picture laurenzlong on 20 Jul 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jyosh picture jyosh  Â·  3Comments
h36ahmed picture h36ahmed  Â·  5Comments
joshdifabio picture joshdifabio  Â·  5Comments
jspri picture jspri  Â·  5Comments
ahaverty picture ahaverty  Â·  6Comments