2

Using firebase-tools v3.18.6, I have 3 different projects in my account simulating dev/qa/prod environments. Deploying to dev and qa works just fine, but deploying to the 3rd project fails with the following debug output (masked possible sensitive info):

firebase --debug --project=prod deploy --only functions
... lots of debug output ...
[2018-06-13T15:36:07.954Z] <<< HTTP RESPONSE 403 x-guploader-uploadid=AEnB2UoLPpYzpkSxyI2w-TCcJeZX8XvBvId1gEIMX1yoTBLqhEyNTR7whmnMV7z9gyVZ14T6QZj9I4GBXjBm_bj_FWgyc-v6hynRxROPl1sIQh_O1d8UWq0, content-type=application/xml; charset=UTF-8, content-length=297, vary=Origin, date=Wed, 13 Jun 2018 15:36:07 GMT, server=UploadServer, alt-svc=quic=":443"; ma=2592000; v="43,42,41,39,35", connection=close
[2018-06-13T15:36:07.955Z] <<< HTTP RESPONSE BODY <?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Access denied.</Message><Details>service-XXXXXXXXXXX@gcf-admin-robot.iam.gserviceaccount.com does not have storage.objects.create access to gcf-upload-us-central1-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX.</Details></Error>

I have already followed the google cloud docs and made sure that:

  1. All needed apis are enabled
  2. The robot's service account has the CloudFunctions.ServiceAgent role
  3. I have editor/owner privileges on the project

Proof:

$ gcloud services list --project=prod | grep functions
cloudfunctions.googleapis.com        Cloud Functions API
$ gcloud projects get-iam-policy prod | grep -B1 -A1 gcf
- members:
  - serviceAccount:service-XXXXXXXXXXX@gcf-admin-robot.iam.gserviceaccount.com
  role: roles/cloudfunctions.serviceAgent
$ gcloud projects get-iam-policy prod | grep -B1 -A1 jorgeg
- members:
  - user:jorgeg@company.com
  role: roles/owner

At this point I am fairly convinced something went wrong internally when enabling the firebase functions apis on my project, but want to know if someone has seen this same issue before I upgrade my support level.

TIA

Jorge Gallegos
  • 23
  • 2

2 Answers2

3

We had the same problem and solved it by:

  1. Creating a bucket in the gcloud storage, called foo
  2. Deploy a function with gcloud beta using that bucket:

gcloud beta functions deploy myFunction --trigger-http --stage-bucket foo

  1. That fixes the permissions, then the regular firebase deploy starts to work
Tuomas Huhtanen
  • 46
  • 1
0

I can't recall if that's the exact same error message as I received, but I think I experienced something similar - I know it was related to Cloud Functions. I remember mine was something related to the service accounts not having permission, or maybe even not existing at all. Unfortunately, I was unable to solve it (I was too lazy to reach out to Firebase support).

In my situation, I got lucky that it was the development environment, so no one cared if I trashed it and made a new one. I exported my database, deleted the problematic project, and started with a fresh Firebase project... and that fixed it. I'm not sure if that's an option for you since you said it's your production that's failing, if others will care if you trash & restart.

JeremyW
  • 5,157
  • 6
  • 29
  • 30