Firebase Cloud Functions Firestore Trigger produces: Error: 7 PERMISSION_DENIED: Missing or insufficient permissions

Question

I\'m trying to use a Firebase Cloud Function to update a document within my Firestore database, when one of my documents has been updated using a trigger. The trigger is cal

Answer 1

I had the same issue. And like nvitius, I solved it by changing permissions.

When creating a function, the default service account appears to be <project-name>@appspot.gserviceaccount.com.

You can check this by clicking on the Environment variables, networking, timeouts and more link:

And then you can verify or change the account to the `App Engine default service account':

After this, I went to the IAM to verify the permission this service account had.

But the IAM did not have this service account listed/added.

So I add it >> Add >> New members. Start typing the ID of the project and the service account should pop-up in the drop-down.

And then I gave it the following permissions:

• Project >> Editor (It may have this already)
• Datastore >> Cloud Datastore Owner
• Storage >> Storage Admin

Hope this helps.

Answer 2

One solution that worked for me:

• I was switching between firebase projects where I wanted to emulate a Cloud Function and see the results in production in Firestore (I already had the Cloud Function creating data in production Firestore in a project (ex. "project-dev")
• Permission denied error kept happening when creating new document in Firestore via the cloud function even though I was using the downloaded the serviceAccount credentials for the new project ("project-sandbox")

let serviceAccount = require('../credentials-sb.json');
admin.initializeApp({
    credential: admin.credential.cert(serviceAccount),
    databaseURL: "https://<project>-sandbox.firebaseio.com"
});

• I noticed I had not yet run the firebase use command for my new project, nor was it added to .firebaserc. I was "using" a project other than the one that the credentials file would have needed (ex: Firebase CLI set to use "project-dev", I had not yet run the firebase use command for my new "project-sandbox")
• After I ran firebase use project-sandbox, I ran npm run shell and executed my function from the emulator and everything worked. The emulator worked as it should for "project-sandbox" as it had for "project-dev".

I can only assume this is due to setting a project-id environment variable which is either sensed from the environment when running admin.initializeApp() or that I could have set manually like this (see comment from @Seb above):

let serviceAccount = require('../credentials-sb.json');
admin.initializeApp({
    project-id: '<project>-sandbox'
    credential: admin.credential.cert(serviceAccount),
    databaseURL: "https://inkling-sandbox.firebaseio.com"
});

I hope this helps! Please let me know if it did.

Answer 3

I had the same exact problem with Cloud Functions. My issue was not solved by deleting/redeploying the function. It turns out that, when my project was provisioned, the IAM roles for the default service account were not added. I had to add an Editor role in the IAM Admin panel for <project-name>@appspot.gserviceaccount.com.

Answer 4

My solution was setting up the serviceAccount, check the following code snippet:

var admin = require("firebase-admin");

var serviceAccount = require("path/to/serviceAccountKey.json");

admin.initializeApp({
  credential: admin.credential.cert(serviceAccount),
  databaseURL: "https://your-database-url.firebaseio.com"
});

You can generate the serviceAccountKey on: Firebase dashboard -> Project Settings -> Service Accounts tab

Hope it helps!

Answer 5

I've finally got it working. I didn't change any firestore security rules nor any IAM stuff. I deleted the function which was running on us-central1. Created the same Cloud Function project again, copied over my existing code, but this time I deployed it to europe-west1 and it worked out of the box.

I assume that something might failed during the first initial deployment to us-central1 and after that my project stuck with the error even if I had deleted and redeployed the function several times. Not sure what happened exactly, because no obvious error has been displayed. Maybe someone of the firebase team who knows the internal workflows can tell us if something like this can happen and if yes, how to deal with it.

For now the above steps solved my issue.

Answer 6

I've met the same error and have not found the solution anywhere so I post it here if it can help someone...

We use 2 firebase projects (DEV, PROD) and deploy the same functions on both. The PERMISSION_DENIED appears also when you specify a wrong projectId in :

admin.initializeApp({projectId: 'your_project_id'});