Unable to set the invoker for the IAM policy on the following functions

[gOzaru]

[REQUIRED] Environment info

firebase-tools: 12.4.0

Platform: Windows

[REQUIRED] Test case

I can't provide the sample as it is owned by company.
The important thing is that I want to edit the data inside Firestore using Cloud Functions. It used to have no error at all. But, now it gives error:

Unable to set the invoker for the IAM policy on the following functions:
        functions:albumedit(us-central1)

Some common causes of this:

- You may not have the roles/functions.admin IAM role. Note that roles/functions.developer does not allow you to change IAM policies.

- An organization policy that restricts Network Access on your project.
i  functions: cleaning up build files...

Error: There was an error deploying functions

I logged in as Owner access in Firebase Cloud Function.
This should give me absolute access to all roles.

[REQUIRED] Steps to reproduce

Just deploy function which has editing and deleting data inside Firestore

[REQUIRED] Expected behavior

It should be run without error.

[REQUIRED] Actual behavior

The function cannot be run anymore.

[gOzaru]

I think this issue is still active.
#4335

[milo-]

Seeing the same thing with newly deployed functions

[gOzaru]

That is after recent update, if I were correct.

[gOzaru]

I think I have found the solution (here)

• Find it in IAM & Admin GCP
• Find Domain restricted sharing in Organization Policies
• Click on Manage Policy
• Choose Customize
• Choose Replace on Policy Enforcement
• Add a RULE: ALLOW ALL
• Set Policy

Now my function is working again.
Note:
If you cannot edit the Manage Policy, then setup Cloud Identity first by clicking here

[clarkbox]

I am having the same problem deploying some functions. We use ansible to run automated deployments, which uses a service account for authentication (not "firebase login").

To use a service account key:

export GOOGLE_APPLICATION_CREDENTIALS="/tmp/serviceAccount.json"

Everything was working fine within the last month. New functions were properly deployed. Nothing was changed with out firebase config, only new function code.

The workarounds listed above did not work. However, we can login ("firebase login") with a user account and run the deploy successfully.

As a small team, it's daunting to manage all this security spaghetti google cloud is throwing at us.

[jaakdentrekhaak]

Thank you @gOzaru! It works for me. I want to share the steps I had to take:

1. Go to IAM and admin > IAM (link)
2. Make sure the organisation is selected in the dropdown at the top (not a project)
3. For the profile with the “Organisation Administrator”, click on the pencil “Edit principal”
4. Click on “ADD ANOTHER ROLE”
5. Choose “Organisation Policy Administrator” (necessary to edit policies in the next step)
6. Go to IAM and admin > Organisation policies (link)
7. Click on “Domain restricted sharing”
8. Click on “MANAGE POLICY”, leave everything as default and remove any existing rules.
9. Click “ADD A RULE” and add choose “Allow all”
10. Finally click “SET POLICY”
11. Now you should be able to deploy the cloud functions