2

The error

Error: The caller does not have permission
at Gaxios._request (/workspace/node_modules/gaxios/build/src/gaxios.js:127:23)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
at async Compute.requestAsync (/workspace/node_modules/google-auth-library/build/src/auth/oauth2client.js:343:18)
at async GoogleAuth.sign (/workspace/node_modules/google-auth-library/build/src/auth/googleauth.js:628:21)
at async sign (/workspace/node_modules/@google-cloud/storage/build/src/signer.js:97:35)

What I've tried

I've tried update IAM roles. From the firebaseSA.json file it looks like the associated email has these roles: Firebase Admin SDK Administrator Service Agent Service Account Token Creator Pub/Sub Publisher Storage Admin

Additional info

earlier it through the following error and I enabled this api:

Error: IAM Service Account Credentials API has not been used in project <PROJECT_NUM> before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/iamcredentials.googleapis.com/overview?project=<PROJECT_NUM> then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.

Code

exports.getSignedUrl = async function (gsUri) {
  const [bucket, path, filename] = explode(gsUri);
  console.log('requesting signed url from ', bucket, path, filename);
  const signedUrl = await storage
    .bucket(bucket)
    .file(`${path}/${filename}`)
    .getSignedUrl({
      expires: Date.now() + 24 * 60 * 60 * 1000, // 1 day
      action: 'read',
    });
  console.log('Signed url: ', signedUrl);
  return signedUrl[0];
};

async function retrieveUrl(req, res){
  console.log('==== /api Called');
  const { gsUri } = req.body;
  console.log('==== getting signed url ');
  const url = await getSignedUrl(gsUri);
  console.log('==== done');
}

and index.ts has the following code

export const api = functions.https.onRequest((req: any, res: any) => {
  cors(req, res, async () => {
    return await retrieveUrl(req, res);
  });
});

And the storage setup with admin.initializeApp().storage() with GOOGLE_APPLICATION_CREDENTIALS=/path/to/creds.json

Ben
  • 80
  • 7
  • If you run your application with another Service account that has all possible Cloud Storage permissions, does it work? If yes, it would mean that your current Service require additional permissions to execute the function. You can check what permissions to give in the [Cloud Storage IAM Roles](https://cloud.google.com/storage/docs/access-control/iam-roles). – Farid Shumbar Mar 05 '21 at 16:11
  • This answer might help: [Service Account Token Creator](https://stackoverflow.com/a/66054930/1314830) – Quins Mar 26 '22 at 09:46

0 Answers0