firebase deploy on europe-west2 suddenly fails with Permission 'cloudfunctions.functions.setIamPolicy' denied

[Aurangzeb Alamgir]

Hello,

we're creating a small Firebase-Only project and since today we're suddenly facing a problem when deploying a new function (using europe-west-2).

Here is the output generated by

firebase deploy functions:setLibraryDocument2 --debug

skipped the log to the relevant part:

[2020-03-26T06:14:49.437Z] Setting public policy for function setLibraryDocument2
 [2020-03-26T06:14:49.437Z] >>> HTTP REQUEST POST https://cloudfunctions.googleapis.com/v1/projects/inpraxi-dev/locations/europe-west2/functions/setLibraryDocument2:setIamPolicy
  version=3, bindings=[role=roles/cloudfunctions.invoker, members=[allUsers]], updateMask=version,bindings
 [2020-03-26T06:14:49.957Z] <<< HTTP RESPONSE 403 vary=X-Origin, Referer, Origin,Accept-Encoding, content-type=application/json; charset=UTF-8, date=Thu, 26 Mar 2020 06:14:50 GMT, server=ESF, cache-control=private, x-xss-protection=0, x-frame-options=SAMEORIGIN, x-cont
 ent-type-options=nosniff, alt-svc=quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,h3-T050=":443"; ma=2592000, accept-ranges=none, transfer-encodin
 g=chunked
 [2020-03-26T06:14:49.958Z] <<< HTTP RESPONSE BODY code=403, message=Permission 'cloudfunctions.functions.setIamPolicy' denied on resource 'projects/inpraxi-dev/locations/europe-west2/functions/setLibraryDocument2' (or resource may not exist)., status=PERMISSION_DENIED
 
 
 

 Functions deploy had errors with the following functions:
 
 
 
 
 
To try redeploying those functions, run:
     firebase deploy --only functions:
 
 
 

 To continue deploying other features (such as database), run:
     firebase deploy --except functions
 
 
 
Error: Functions did not deploy properly.

The result is that the initial deploy will not work, but the second deployment of the same function succeeds. However, this function will then generate a CORS failure when called which should not happen for an httpsCallable accessed from localhost development Angular.

Any clues? A temporary problem with cloud functions?

All previously deployed functions in the same region work just fine.

regards,

Aurangzeb

[Candela Sánchez Gago]

I'm facing exactly the same problem, out of sudden since yesterday.

I've checked GCP roles and discovered that the editor role (used by developers at my organisation) does not have the cloudfunctions.functions.setIamPolicy permission. If we try to deploy with an user with that permission it works.

What I don't understand is how it has been working until now.

[Sam Stern]

Hi everyone,

Candela's assessment is correct: due to a recent IAM policy change the "editor" role is no longer sufficient, you need the "owner" role.  We are working on at least making the error clearer here:
https://github.com/firebase/firebase-tools/issues/2086

If we have a workaround or a new solution we will let you know.

- Sam

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/86a77ff0-bcda-4eb2-9eb2-b243139f86c0%40googlegroups.com.

[Candela Sánchez Gago]

The workaround I've done in my team, to avoid giving the "owner" role to all the developers, is to create a new role called Cloud Functions Deployer with only that permission (cloudfunctions.functions.setIamPolicy), and manually add it to all the developers. I've not found a way to bulk add a role to multiple users.

The more explanatory error is a good step, but it would be nice if this permission was added to the "editor" role by default.

Thank you for your answer Sam.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAHafJBqD7Nk_GRKaHyubjgc35HjDE%3Do0SCcROfmt_MNmVnqyag%40mail.gmail.com.

[Sam Stern]

Glad that's working for you!  I also want to note that the Firebase CLI can be used with service account credentials:

GOOGLE_APPLICATION_CREDENTIALS=your-service-account-keyfile.json firebase deploy --only functions

So you could create a service account with a minimal set of permissions (just what's needed for deploying functions) and share it among your team / build it into your build scripts.  Of course all normal security warnings about service account keys apply!

- Sam

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CACQgVTRVaO7%3DMZ8MiWFNMJD%2BBF0QdLpRgYbVZGQ0X68mwD3nZg%40mail.gmail.com.

[Candela Sánchez Gago]

I didn't know about that, will check into it!