Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Missing permission when running `firebase deploy`

127 views
Skip to first unread message

Dan Bar-Shalom

unread,
Nov 13, 2024, 9:16:53 AM11/13/24
to Firebase Google Group
Hi,

I have a firebase project with firestore db and I'm trying to deploy a function.
I've used the cli to create the project. I've logged-in using my google account.
When running deploy, I always hit this error:

Could not build the function due to missing permissions. generic::permission_denied: Caller does not have required permission to use project <REDUCTED>. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=<REDUCTED> and then retry. Propagation of the new permission may take a few minutes.

Functions deploy had errors with the following functions:
        api(us-central1)
i  functions: cleaning up build files...
⚠  functions: Unhandled error cleaning up build images. This could result in a small monthly bill if not corrected. You can attempt to delete these images by redeploying or you can delete them manually at https://console.cloud.google.com/gcr/images/
<REDUCTED>/us/gcf

Error: There was an error deploying functions

I went to IAM and made sure that my user has the "Service Usage Consumer" role, although it already had the "owner" role, so I'm not sure it's even needed. 
Even after adding this role explicitly, the error persisted.

I've tried many things, including using gcloud cli instead of firebase.
I also tried using a service account and granting it all the needed roles.
To use a service account I've downloaded the service account json. I've logged out by running
firebase logout
firebase use --add
(and then selecting my project)
and then I'm deploying by running
export GOOGLE_APPLICATION_CREDENTIALS="./cred.json" && firebase deploy --only functions:api

The service account had a few other roles that were missing. When I added them it moved on to the new missing role, but eventually ended up with the same missing role "Service Usage Consume", which I've added, but keep getting the same issue. 
While using the service account I also got an error that the billing API wasn't enabled on the project, so I've enabled it.

The list of roles that my personal user has:
Cloud Build Editor
Cloud Datastore Import Export Admin
Cloud Functions Admin
Cloud Run Admin
Cloud Run Source Developer
Firebase Admin
Owner
Service Account Token Creator
Service Account User
Service Usage Consumer
Storage Admin

The list of roles that my service account has:
Cloud Build Editor
Cloud Functions Admin
Cloud Functions Developer
Firebase Admin SDK Administrator Service Agent
Firebase Extensions Developer
Service Account User
Service Extensions Admin
Service Usage Consumer
Storage Admin

Below is the full log. Any help will be appreciated

% firebase deploy --only functions:api

=== Deploying to '<REDUCTED>'...

i  deploying functions
✔  functions: Finished running predeploy script.
i  functions: preparing codebase default for deployment
i  functions: ensuring required API cloudfunctions.googleapis.com is enabled...
i  functions: ensuring required API cloudbuild.googleapis.com is enabled...
i  artifactregistry: ensuring required API artifactregistry.googleapis.com is enabled...
✔  functions: required API cloudbuild.googleapis.com is enabled
✔  functions: required API cloudfunctions.googleapis.com is enabled
✔  artifactregistry: required API artifactregistry.googleapis.com is enabled
i  functions: Loading and analyzing source code for codebase default to determine what to deploy
Serving at port 8676

i  extensions: ensuring required API firebaseextensions.googleapis.com is enabled...
✔  extensions: required API firebaseextensions.googleapis.com is enabled
i  functions: preparing . directory for uploading...
i  functions: packaged <REDUCTED> (43.15 KB) for uploading
i  functions: ensuring required API run.googleapis.com is enabled...
i  functions: ensuring required API eventarc.googleapis.com is enabled...
i  functions: ensuring required API pubsub.googleapis.com is enabled...
i  functions: ensuring required API storage.googleapis.com is enabled...
✔  functions: required API run.googleapis.com is enabled
✔  functions: required API storage.googleapis.com is enabled
✔  functions: required API eventarc.googleapis.com is enabled
✔  functions: required API pubsub.googleapis.com is enabled
i  functions: generating the service identity for pubsub.googleapis.com...
i  functions: generating the service identity for eventarc.googleapis.com...
✔  functions: . folder uploaded successfully
i  functions: updating Node.js 20 (2nd Gen) function api(us-central1)...
Could not build the function due to missing permissions. generic::permission_denied: Caller does not have required permission to use project <REDUCTED>. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=<REDUCTED> and then retry. Propagation of the new permission may take a few minutes.

Functions deploy had errors with the following functions:
        api(us-central1)
i  functions: cleaning up build files...
⚠  functions: Unhandled error cleaning up build images. This could result in a small monthly bill if not corrected. You can attempt to delete these images by redeploying or you can delete them manually at https://console.cloud.google.com/gcr/images/<REDUCTED>/us/gcf

Error: There was an error deploying functions



Guanaco Devs

unread,
Nov 14, 2024, 12:43:49 PM11/14/24
to fireba...@googlegroups.com
Hi there

After changing the permission to your firebase-adminsdk delete your function and redeploy. You need to add the permission only to the firebase-adminsdk account, if using the firebase admin sdk to develop and deploy your functions, there is no need to export your service account to GOOGLE_APPLICATION_CREDENTIALS. 

Regarding to the very last warning 
  functions: Unhandled error cleaning up build images. This could result in a small monthly bill if not corrected. You can attempt to delete these images by redeploying or you can delete them manually at https://console.cloud.google.com/gcr/images/<REDUCTED>/us/gcf
You might need to check the Artifact Registry, there will be build images there, that if left unattended will tend to grow as you deploy your functions and that will increase your billing. There you want to delete everything that was created by deploying your function.

Thank You & Best Regards
Edgard Ochoa
Guanaco Devs


--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/firebase-talk/cd18740e-77d2-4daa-9f4f-1e3f9d90af3dn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages