6

I have an http onCall cloud function which I want to return a signedURL to allow me to upload a file to a cloud storage bucket Previous question

It keeps telling me permission is denied, but I can't see where the problem could be. The function GCPSecureURL is set to Allow unauthenticated, and StorageAdmin is set to all users.

A service account also has access to StorageAdmin on the bucket, because a pub/sub subscribes to the event when a file is uploaded to the bucket and triggers a pdf conversion service.

Why can't I get the signedURL back from the function?

Right now the promise is pending, then the console logs a POST 500 error. The logs for the function say Unhandled error { Error: The caller does not have permission" ...

Davtho1983
  • 3,827
  • 8
  • 54
  • 105
  • 2
    This [thread](https://stackoverflow.com/questions/62479994/the-caller-does-not-have-permission-when-attempting-to-use-google-cloud-storage) looks very similar although it concerns Cloud Run. Tty adding "Service Account Token Creator" role to your service account. – Emil Gi Jul 14 '20 at 11:33
  • I was confused tho - it looks like you can't upload new files at all with signedURL because it doesn't accept POST - yet the example I've been trying to adapt specifically is for uploading? Has this changed since signedURLs were implemented? – Davtho1983 Jul 14 '20 at 18:35
  • 1
    I don't think anything changed, you should still be able to upload files. Can you elaborate more on how you performing the upload and what error you get. Also check [this](https://cloud.google.com/storage/docs/access-control/signed-urls#signing-resumable) – Emil Gi Jul 15 '20 at 07:11
  • OK I added Service Account Token Creator role to the correct service account and it now works - thank you so much! – Davtho1983 Jul 15 '20 at 11:58

1 Answers1

15

I was also getting the Service Account Token Creator error when calling file.getSignedUrl().

I fixed it by visiting the IAM Permissions page for my Firebase project and editing the App Engine default service account to have the Service Account Token Creator role.

cgenco
  • 3,370
  • 2
  • 31
  • 36