In firebase cloud function I am getting access denied on admin-firebase on read or write to realtime database. This does not solve my problem , App engine default service account rights are set to Editor.
I also have Node.js admin sdk configured with service Account Key and there everything works as expected.
I have set default security rules in db.
This is an example function
const functions = require('firebase-functions');
const admin = require('firebase-admin');
admin.initializeApp(functions.config().firebase);
admin.database.enableLogging(true);
//event fires properly
exports.sendNotif = functions.database.ref('/messages/{roomId}/{msgKey}')
.onWrite(event => {
const message = event.data.val().text;
//this executes as expected
console.log(message);
//here I am getting access denied and consequently function timeout after 60 seconds.
return admin.database().ref('/userFCMTokens').once('value')
.then(snap => console.log(snap.val()));
});
and here is log snippet from firebase realtime db
Realtime connection established.
2017-06-08T15:19:03.168Z I sendNotif: p:0: connection ready
2017-06-08T15:19:03.168Z I sendNotif: p:0: {"r":28,"a":"gauth","b":{"cred”:”********************”}}
2017-06-08T15:19:03.169Z I sendNotif: p:0: Listen on /userFCMTokens for default
2017-06-08T15:19:03.169Z I sendNotif: p:0: {"r":29,"a":"q","b":{"p":"/userFCMTokens","h":""}}
2017-06-08T15:19:03.538Z I sendNotif: p:0: from server: {"r":28,"b":{"s":"permission_denied","d":"Access denied."}}
2017-06-08T15:19:03.538Z I sendNotif: Auth token revoked: permission_denied/Access denied.
2017-06-08T15:19:03.538Z I sendNotif: c:0:13: Closing realtime connection.
2017-06-08T15:19:03.538Z I sendNotif: c:0:13: Shutting down all connections
2017-06-08T15:19:03.538Z I sendNotif: c:0:13:0 WebSocket is being closed
Here without logging on realtime db for brevity:
2017-06-08T15:26:23.164035495Z D sendNotif: Function execution started
2017-06-08T15:26:23.164076543Z D sendNotif: Billing account not configured. External network is not accessible and quotas are severely limited. Configure billing account to remove these restrictions
2017-06-08T15:26:23.539Z I sendNotif: message console logged
2017-06-08T15:27:23.165321703Z D sendNotif: Function execution took 60002 ms, finished with status: 'timeout'
Why I can’t read and write using admin in cloud functions?
In firebase cloud function I am getting access denied on admin-firebase on read or write to realtime database. This https://github.com/firebase/firebase-functions/issues/16 does not solve my problem , App engine default service account rights are set to Editor.
I also have Node.js admin sdk configured with service Account Key and there everything works as expected.
I have set default security rules in db.
This is an example function
const functions = require('firebase-functions');
const admin = require('firebase-admin');
admin.initializeApp(functions.config().firebase);
admin.database.enableLogging(true);
//event fires properly
exports.sendNotif = functions.database.ref('/messages/{roomId}/{msgKey}')
.onWrite(event => {
const message = event.data.val().text;
//this executes as expected
console.log(message);
//here I am getting access denied and consequently function timeout after 60 seconds.
return admin.database().ref('/userFCMTokens').once('value')
.then(snap => console.log(snap.val()));
});
and here is log snippet from firebase realtime db
Realtime connection established.
2017-06-08T15:19:03.168Z I sendNotif: p:0: connection ready
2017-06-08T15:19:03.168Z I sendNotif: p:0: {"r":28,"a":"gauth","b":{"cred”:”********************”}}
2017-06-08T15:19:03.169Z I sendNotif: p:0: Listen on /userFCMTokens for default
2017-06-08T15:19:03.169Z I sendNotif: p:0: {"r":29,"a":"q","b":{"p":"/userFCMTokens","h":""}}
2017-06-08T15:19:03.538Z I sendNotif: p:0: from server: {"r":28,"b":{"s":"permission_denied","d":"Access denied."}}
2017-06-08T15:19:03.538Z I sendNotif: Auth token revoked: permission_denied/Access denied.
2017-06-08T15:19:03.538Z I sendNotif: c:0:13: Closing realtime connection.
2017-06-08T15:19:03.538Z I sendNotif: c:0:13: Shutting down all connections
2017-06-08T15:19:03.538Z I sendNotif: c:0:13:0 WebSocket is being closed
Here without logging on realtime db for brevity:
2017-06-08T15:26:23.164035495Z D sendNotif: Function execution started
2017-06-08T15:26:23.164076543Z D sendNotif: Billing account not configured. External network is not accessible and quotas are severely limited. Configure billing account to remove these restrictions
2017-06-08T15:26:23.539Z I sendNotif: message console logged
2017-06-08T15:27:23.165321703Z D sendNotif: Function execution took 60002 ms, finished with status: 'timeout'
Why I can’t read and write using admin in cloud functions?
Share Improve this question edited Jun 8, 2017 at 16:22 Frank van Puffelen 599k85 gold badges888 silver badges858 bronze badges asked Jun 8, 2017 at 16:18 Filip P.Filip P. 1,3541 gold badge9 silver badges18 bronze badges 6- May I ask why you are using the Firebase Admin SDK instead of using event.data.adminRef.root and then building the path to '/userFCMTokens'? – Jen Person Commented Jun 8, 2017 at 16:39
- I am following this example, github.com/firebase/functions-samples/blob/master/…. I'll try doing as you suggest. – Filip P. Commented Jun 8, 2017 at 16:49
- I see! Well, this doesn't address why you are getting the permission_denied error, but I would recommend trying event.data.adminRef.root instead of admin.database.ref(). – Jen Person Commented Jun 8, 2017 at 16:59
- Can you achieve the same behavior with a new project on the latest SDKs? This looks like a project-specific error; similar to issues I see when an old project that needs to be upgraded from alpha/beta. – Kato Commented Jun 8, 2017 at 17:34
- On new project everything works fine. The project where I get this behaviour was created about 4 months ago. But cloud functions were created lately , with npm dependencies "firebase-admin": "~4.2.1", "firebase-functions": "^0.5.7", – Filip P. Commented Jun 8, 2017 at 18:21
3 Answers
Reset to default 4Try checking permission for “App Engine default service account” on https://console.cloud.google.com/iam-admin/iam/project, and ensure that it says “Editor”.
I needed that anyone from my app could use a callable https function so I had to assign the All users to the Cloud Functions Invoker permission to the specific function in GCP.
Firebase/GCP circa mid-2022 has now clear information in the documentation:
Firebase Develop Admin Full read/write access to:
roles/firebase.developAdmin Google Analytics
Firebase App Check
...
Cloud Functions for Firebase
(deploying functions requires special configuration)
Firebase ML
The special configuration leads to the detail of roles to add to a plain Editor: roles/cloudfunctions.admin and roles/iam.serviceAccountUser. Alternatives are also suggested, like delegating to an Owner, but adding the roles is most likely minimal and more secure.