Google-cloud-node: Urgent: Firebase file upload not working

Created on 20 Jun 2016 · 21Comments · Source: googleapis/google-cloud-node

As showed in npm/firebase, _Server side Firebase npm module is not support. Instead, you can use the gcloud Node.js client_ .

///////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////

var gcloud = require('gcloud');

var gcs = gcloud.storage({
  projectId: 'firebase-project',
  keyFilename: 'firebase-key.json'
});

var bucket = gcs.bucket('petertest-25efd.appspot.com');

bucket.upload('/photos/zoo/zebra.jpg', function(err, file) {
  if (!err) {
    // "zebra.jpg" is now in your bucket. 
  }
});

///////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////

This is the error:

{ [ApiError: Forbidden]
  code: 403,
  errors: [ { domain: 'global', reason: 'forbidden', message: 'Forbidden' } ],
  response: undefined,
  message: 'Forbidden' }

question storage

Source

wahengchang

Most helpful comment

Comment 9 above shows the bucket permissions, and your service account should be added as an owner/editor of the projectid.appspot.com bucket (depending on how you configured the service account it may or may not be that way). You'll need it on both the default bucket ACLs as well as the default object ACLs.

The docs on service accounts for GCS buckets are here: https://cloud.google.com/storage/docs/authentication#service_accounts but might not be terribly helpful.

asciimike on 25 Jul 2016

👍2

All 21 comments

Where did you get firebase-key.json?

stephenplusplus on 20 Jun 2016

Also - does the service account inside firebase-key.json have access to the bucket you're trying to access?

jgeewax on 20 Jun 2016

👍1

I am a user of gcloud for a year, and my upload server have been runing for 6-8month. I did the same as what I did before in google storage, 1- create bucket , 2- create service account and generate key.json , 3- add to node.js project

Creating service account:

How the firebase-key.json is generated, after firebase-key.json is generated and will look like .

How the firebase-key.json is generated.

The content of firebase-key.json.

_THank a lot_

wahengchang on 21 Jun 2016

Any ideas @jgeewax?

stephenplusplus on 22 Jun 2016

It might be interesting to know what is the role of peter-2 for the petertest-25efd project. (You should be able to see that at https://console.cloud.google.com/iam-admin/iam). And what are the ACLs for the petertest-25efd.appspot.com bucket (here you can get information on how to retrieve ACLs for a bucket).

mziccard on 22 Jun 2016

Can you see the bucket when you browse the storage browser? If so, can you look at the ACLs and make sure that the service account you created has the "Owner" permission on the bucket?

jgeewax on 22 Jun 2016

Any update ? I noticed the issue had "Urgent" in it, so hoping to help get this resolved quickly!

jgeewax on 23 Jun 2016

Hi @mziccard and @jgeewax , because of the deadline, our team decided to use the regular google cloud storage, which we are familiar with and usable. And it will be great to have a config tutorial of storage and firebase, would be very helpful

Thank you

wahengchang on 25 Jun 2016

@mcdonamp -- Can you test this out? Seems weird that things wouldn't work right out of the box....

jgeewax on 25 Jun 2016

Firebase Storage is out of the box compatible with Google Cloud Storage, so I'm not really sure why this isn't working.

In your initialization, I assume you replaced everything appropriately:

var gcs = gcloud.storage({
  projectId: 'petertest-25efd',
  keyFilename: 'path/to/your/key.json'
});

Is this a GCP project that you imported to Firebase, or a Firebase project that you created and are now trying to access via GCP?

asciimike on 27 Jun 2016

1 - created a project and bucket in firebase
2 - go to console,
3 - create service-account and download json file
4 - put it in nodejs project
5 - run

should the project created by firebase behave as same as project create on google cloud storage ?

wahengchang on 27 Jun 2016

as my observation, their service-key.json is slightly different:

===================== below is service-key.json generated by google project=============

{
  "private_key_id": "******",
  "private_key": "******",
  "client_email": "******",
  "client_id": "******",
  "type": "service_account"
}

=============== below is service-key.json generated by firebase google project=============

{
  "type": "service_account",
  "project_id": "******",
  "private_key_id": "******",
  "private_key": "******",
  "client_email":  "******",
  "client_id":  "******",
  "auth_uri":  "******",
  "token_uri":  "******",
  "auth_provider_x509_cert_url":  "******",
  "client_x509_cert_url":  "******",
}

wahengchang on 27 Jun 2016

Yes, a Firebase project is also a Google Cloud project, so everything should be interoperable. I have used service-key.json from GCP land, I've never tried the Firebase service-key.json. Try the GCP generated one and see if that works?

asciimike on 27 Jun 2016

That s what I did, there is not a way to generate _service-key.json_ inside firebase console.

My way is open google cloud console, and select the firebase project, then generate the _service-key.json_

wahengchang on 27 Jun 2016

To confirm: both service account keys give the 403? Additionally, you're initializing the bucket with the correct project and key?

asciimike on 27 Jun 2016

I'm going to close as this doesn't seem like a gcloud-node bug. Feel free to keep discussing if the problem is still not resolved.

stephenplusplus on 6 Jul 2016

i have this exact same issue... not sure where to log it since you are closing it here... @stephenplusplus @mcdonamp - should this be raised as an issue in Firebase ?

The project is a new Firebase project that I am trying to access the storage assets from a node.js application. I created the service-account.json using the steps described above

I did a simple test of manually creating a bucket in the google console and it works fine, but the buckets created by firebase do not work so is this a firebase issue or a google cloud API issue

aaronksaunders on 25 Jul 2016

The best place to route it is probably the Firebase Support channel, where we can triage it. I'm very surprised that the default App Engine bucket (projectid.appspot.com) doesn't work with the service account you created, since I've never had a problem with this. It's possible that the service account you have isn't attached to that bucket, which is why it's failing?

asciimike on 25 Jul 2016

@mcdonamp that is quite possible since I have never worked with Google Cloud directly but I have gone into the specific project and created the service account...

_"service account you have isn't attached to that bucket"_

If there is something specific I need to do to make that happen, I cannot find those instructions in any documentation, is it possible I am missing a step

aaronksaunders on 25 Jul 2016

The docs on service accounts for GCS buckets are here: https://cloud.google.com/storage/docs/authentication#service_accounts but might not be terribly helpful.

asciimike on 25 Jul 2016

👍2

I faced the same issue while developing on a GCE instance and found a fix. It seems that some permissions are missing from the *.appspot.com bucket. Here is what I added for this to work:

On a newly created *.appspot.com bucket the editors-xxxxx and viewers-xxxxx permissions were missing on the bucket permissions and all owners-xxxxx, editors-xxxxx and viewers-xxxxx permissions were missing on the object default permissions.

You need all these on both the bucket permissions and the object default permissions:

PS: Obviously you need to adapt the number suffix of owners-, editors- and viewers-, don't use the ID on these screenshots 😄 (I think this must match the numerical ID of your Google Cloud project).

@mcdonamp I filed a bug internally to ask for the *.appspot.com bucket to automatically get these permissions set on bucket creation.