creating Google Cloud Task in a firebase function

Question

I'm getting an error in the firebase console functions log when calling a firebase HTTP function that tries to create a task.

Error: 7 PERMISSION_DENIED: The principal (user or service account) lacks IAM permission "cloudtasks.tasks.create" for the resource "projects/my-gcloud-project-id/locations/us-central1/queues/myqueuename" (or the resource may not exist).

Maybe I'm confused between the gcloud id & location versus the firebase id & location?

EDIT: I have confirmed my location is us-central1 by running gcloud --project my-gcloud-project-id tasks locations list

Or maybe somehow I need to set up permissions?

My code:



const functions = require('firebase-functions');
const { CloudTasksClient } = require('@google-cloud/tasks')

const projectId = 'my-firebase-project-id';
const location = 'us-central1'
const queue = 'myqueuename'

exports.onFormSubmit = functions.https.onRequest(async (req, res) => {
  const tasksClient = new CloudTasksClient()
  const queuePath = tasksClient.queuePath('my-gcloud-project-id', location, queue);

  const url = `https://google.com/` // edited for stack overflow
  const delaySeconds = 5;
  console.log('delaying for ', delaySeconds, ' seconds');

  const task = {
      httpRequest: {
          httpMethod: 'POST',
          url,
          body: '',
          headers: {
              'Content-Type': 'application/json',
          },
      },
      scheduleTime: {
          seconds: delaySeconds
      }
  }

  const [ response ] = await tasksClient.createTask({ parent: queuePath, task })

  console.log('task name', response.name);
});

this might help https://thecloudfunction.com/blog/firebase-cloud-functions-and-cloud-tasks/ — andresmijares, Aug 05 '20 at 18:00

Emmanuel · Accepted Answer · 2020-08-10T18:20:51.217

7

In order to create a Google Task you have to add the correct permissions on IAM, in this case as the error message is showing, you have to add the cloudtasks.tasks.create permission to the service account that is invoking the Cloud Function.

This can be done by going inside the Cloud Console and then into IAM, search for the service account usually is something like service-project-number@gcf-admin-robot.iam.gserviceaccount.com (update: it was my-project-id@appspot.gserviceaccount.com) and add the required permission, if you have a role based permissions Cloud Tasks Enqueuer should be enough to create the tasks.

edited Aug 10 '20 at 18:20

answered Aug 05 '20 at 17:49

Emmanuel

1,436
1
11
17

Thanks, I added that role to my gcf-admin-robot service account, and still get the same error. Any idea how I can diagnose if this is still a permissions issue versus me not having the cloud task queue resource name correct? – Andrew Stromme Aug 06 '20 at 00:57
I tried using https://console.cloud.google.com/iam-admin/troubleshooter with //cloudresourcemanager.googleapis.com/projects/my-gcloud-project-id and cloudtasks.tasks.create and got a green checkmark: access granted. So maybe somehow I'm specifying the resource name wrong? – Andrew Stromme Aug 06 '20 at 01:02
Both are possible, the best approach is to review all the service accounts that are being [used from Firestore](https://firebase.google.com/support/guides/service-accounts) and add the role `Cloud Tasks Enqueuer`, You can view all service accounts associated with your project in the [Service accounts](https://console.firebase.google.com/u/0/project/_/settings/serviceaccounts) tab of your settings > Project Settings in the Firebase console. – Emmanuel Aug 06 '20 at 23:41
Thank you @Emmanuel! Following up here, my problem ended up being that I had two google cloud projects with similar names and I was getting confused between them. See https://stackoverflow.com/questions/63305239/google-cloud-policy-troubleshooter-says-service-account-doesnt-have-permissions – Andrew Stromme Aug 07 '20 at 16:09
Thank you for the follow up @astromme, could you add which was the sanitized name of the SA that you added the permissions? – Emmanuel Aug 07 '20 at 16:56
I added the permissions to my-project-id@appspot.gserviceaccount.com – Andrew Stromme Aug 08 '20 at 18:43

score 1 · Answer 2 · answered Mar 02 '23 at 22:28

To get tasks working from a function, you need to add four roles to the firebase-adminsdk-*****@my-project-id.iam.gserviceaccount.com Principal: Cloud Functions Admin, Cloud Tasks Admin, Cloud Tasks Queue Admin and Service Account User. Anything short of those four roles and triggering a task function from another function will not work. Technically you could add just the Editor role, but that adds way more permissions than needed.

Google's documentation on this is a disaster.

creating Google Cloud Task in a firebase function

2 Answers2

Linked