search

firebase / firebase-functions

Firebase SDK for Cloud Functions
https://firebase.google.com/docs/functions/
MIT License
1.03k stars 204 forks source link

Firestore triggers have authType unknown when I make updates to documents from the firebase console #1568

Closed cjhoward92 closed 6 months ago

cjhoward92 commented 6 months ago

Related issues

No

[REQUIRED] Version info

node: v18.17.1

firebase-functions: 5.0.1

firebase-tools: 13.8.0

firebase-admin: 12.1.0

[REQUIRED] Test case

Create a firestore database in the firebase console Create a trigger function with auth context

e.g. my function

import { onDocumentCreated, onDocumentDeleted, onDocumentUpdatedWithAuthContext } from 'firebase-functions/v2/firestore';
import { onRequest } from 'firebase-functions/v2/https';
import * as logger from 'firebase-functions/logger';
import { CloudTasksClient } from '@google-cloud/tasks';

const buildTaskName = (document: string) => `${QUEUE_NAME}/tasks/${document}-publish`;

const onNotificationUpdated = onDocumentUpdatedWithAuthContext('notifications/{notificationId}', async (event) => {
  try {
    logger.info('Notification updated:', event);
    const taskClient = new CloudTasksClient();
    const previousTask = await taskClient.getTask({
      name: buildTaskName(event.document),
    });
    if (previousTask) {
      await taskClient.deleteTask({
        name: buildTaskName(event.document),
      });
    }

    await taskClient.createTask({
      parent: buildTaskName(event.document),
      task: {
        scheduleTime: {
          seconds: Date.now() + 1000,
        },
        httpRequest: {
          httpMethod: 'POST',
          headers: {
            'Content-Type': 'application/json',
          },
          body: Buffer.from(JSON.stringify(event.data!.after.data())),
          url: PUBLISH_URL,
        },
      },
    });
  } catch (error) {
    logger.error(`Error updating task for document ${event.document}`, error);
  }
});

[REQUIRED] Steps to reproduce

If you update any document that triggers this function, it will fail to resolve the IAM permissions. No matter what service account I use, or whatever permissions I give (even full admin) I can't seem to find out what's going on. My best guess is because the authType in the event is unknown even though the authId is literally my email address (owner of the GCP account and firebase project).

[REQUIRED] Expected behavior

Be able to resolve permissions and create a cloud task.

[REQUIRED] Actual behavior

I get this error during execution

Error updating task for document notifications/rrZVDDMelsptw1o7MP0e Error: 7 PERMISSION_DENIED: The principal (user or service account) lacks IAM permission "cloudtasks.tasks.create" for the resource

Mind you - I have granted those permissions to all of the service accounts and users in my GCP account.

Were you able to successfully deploy your functions?

No

google-oss-bot commented 6 months ago

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

cjhoward92 commented 6 months ago

I figured out a way to do this with the firebase admin package.