allUsers > Cloud Functions Invoker not added to HTTP functions in Node 10 runtime

[timdiacon]

[REQUIRED] Version info

^3.0.2

node:
10

firebase-functions:
HTTP

firebase-tools:
7.4.0

[REQUIRED] Test case

Creating a new HTTP function from the cli by deploying code with firebase deploy --only functions creates a function which throws a 403 when called directly or CORS error when using firebase.functions().httpsCallable from the client

[REQUIRED] Steps to reproduce

As above

[REQUIRED] Expected behavior

The function should have 'allUsers > Cloud Functions Invoker' so it can be called from the client

[REQUIRED] Actual behavior

It doesn't have 'allUsers > Cloud Functions Invoker' and so throws a 403

Were you able to successfully deploy your functions?

Yes

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[RalphKemp]

Hello, I've had the same problem today, and thought I'd chime in with my temp fix (Including issues template for clarification).

Related issues

None.

[REQUIRED] Version info

node: 10.13.0

firebase-functions: 3.0.2

firebase-tools: 7.6.1

firebase-admin: 8.8.0

[REQUIRED] Steps to reproduce

1. Create a normal http cloud function. ('test')
2. run cli firebase deploy --only functions:test

[REQUIRED] Expected behavior

For a newly deployed cloud function to have allUsers in the permissions by default.

[REQUIRED] Actual behavior

Cloud function has no Cloud Functions Invoker, meaning all access is denied.

Were you able to successfully deploy your functions?

Yes.

Temp fix:

In the cloud console functions page, select a function to show the info panel. In the permissions tab, select ADD MEMBER. In the new members field, type allUsers. In the roles drop down, select cloud functions, then cloud functions invoker, and save.

It actually sort of makes sense for a function to have restricted permissions when it's first created, however I'm used to the default permissions being present, so it's a bug (or new feature) that definitely threw me off. Of course this doesn't fix the underlying problem, but hope it helps.

[mbleigh]

You need to upgrade the CLI to >= 7.7.0, which is when we added the automatic IAM policy adjustment for newly created functions. Note that this only applies to new functions, so upgrading and redeploying won't fix already deployed functions. To fix existing functions you can use gcloud:

gcloud functions add-iam-policy-binding $FUNCTION_NAME \
  --member='allUsers' \
  --role='roles/cloudfunctions.invoker'

[RalphKemp]

@mbleigh Thanks for the info!

[alexpchin]

I'm still getting this issue:

firebase-functions: 3.6.2
firebase-tools: 8.4.1
firebase-admin: 8.12.1

I deleted my functions and then redeployed them and I am getting:

[pedrocarloto]

Hello!
I am having the same problem when deploying from GitHub Actions. This only happens randomly and only when deploying new functions.
@alexpchin what is the URL for the interface you posted on your screenshot?
Thank you!

[taeold]

@pedrocarloto The screenshot is probably taken from https://console.cloud.google.com/functions - click on the function you are having issues with and look in the "Permissions" tab.

Firebase CLI tool makes a request to the Google Cloud Functions API to update the permissions post-deploy. Sometimes, this request may fail for various reasons (bad connection, not sufficient permission, etc). There should be a log entry when the request fails - can you share what you find there?

[pedrocarloto]

Hei @taeold!
Thank you for the reply.
I know that interface, but that only gives me the information for one function:

since I have about 80 functions I would like to know how many don't have the role.

I have tried the IAM interface, but it does not include the "Cloud Functions Invoker":

Regarding the logs, the deployment was done through GitHub Actions and I have looked there, but didn't find that request. I also searched on the function log itself on Google Cloud Log Explorer but also did not find that request. Where should I be looking?

Thank you!

[lsps9150414]

For anyone running into this recently, I resolved it by:

• updating all dependencies to the latest, for me it's
  • firebase-admin: ^12.0.0
  • firebase-functions: ^4.6.0
  • firebase-functions-test: ^3.1.1
  • firebase-tools: 13.0.3
• delete all deployed functions (as the permission seems to be configured only when newly deployed)
• redeploy all functions