creating Google Cloud Task in a firebase function

Asked 5/8, 2020 at 16:8 Answered 2/3, 2023 at 22:28

Solved node.js firebase google-cloud-functions google-cloud-tasks

I'm getting an error in the firebase console functions log when calling a firebase HTTP function that tries to create a task.

Error: 7 PERMISSION_DENIED: The principal (user or service account) lacks IAM permission "cloudtasks.tasks.create" for the resource "projects/my-gcloud-project-id/locations/us-central1/queues/myqueuename" (or the resource may not exist).

Maybe I'm confused between the gcloud id & location versus the firebase id & location?

EDIT: I have confirmed my location is us-central1 by running gcloud --project my-gcloud-project-id tasks locations list

Or maybe somehow I need to set up permissions?

My code:



const functions = require('firebase-functions');
const { CloudTasksClient } = require('@google-cloud/tasks')

const projectId = 'my-firebase-project-id';
const location = 'us-central1'
const queue = 'myqueuename'

exports.onFormSubmit = functions.https.onRequest(async (req, res) => {
  const tasksClient = new CloudTasksClient()
  const queuePath = tasksClient.queuePath('my-gcloud-project-id', location, queue);

  const url = `https://google.com/` // edited for stack overflow
  const delaySeconds = 5;
  console.log('delaying for ', delaySeconds, ' seconds');

  const task = {
      httpRequest: {
          httpMethod: 'POST',
          url,
          body: '',
          headers: {
              'Content-Type': 'application/json',
          },
      },
      scheduleTime: {
          seconds: delaySeconds
      }
  }

  const [ response ] = await tasksClient.createTask({ parent: queuePath, task })

  console.log('task name', response.name);
});

Shuman answered 5/8, 2020 at 16:8 Comment(1)

this might help thecloudfunction.com/blog/… – Thera 5/8, 2020 at 18:0

In order to create a Google Task you have to add the correct permissions on IAM, in this case as the error message is showing, you have to add the cloudtasks.tasks.create permission to the service account that is invoking the Cloud Function.

This can be done by going inside the Cloud Console and then into IAM, search for the service account usually is something like [email protected] (update: it was [email protected]) and add the required permission, if you have a role based permissions Cloud Tasks Enqueuer should be enough to create the tasks.

Wayside answered 5/8, 2020 at 17:49 Comment(6)

Thanks, I added that role to my gcf-admin-robot service account, and still get the same error. Any idea how I can diagnose if this is still a permissions issue versus me not having the cloud task queue resource name correct? – Shuman 6/8, 2020 at 0:57

I tried using console.cloud.google.com/iam-admin/troubleshooter with //cloudresourcemanager.googleapis.com/projects/my-gcloud-project-id and cloudtasks.tasks.create and got a green checkmark: access granted. So maybe somehow I'm specifying the resource name wrong? – Shuman 6/8, 2020 at 1:2

Both are possible, the best approach is to review all the service accounts that are being used from Firestore and add the role Cloud Tasks Enqueuer, You can view all service accounts associated with your project in the Service accounts tab of your settings > Project Settings in the Firebase console. – Wayside 6/8, 2020 at 23:41

Thank you @Emmanuel! Following up here, my problem ended up being that I had two google cloud projects with similar names and I was getting confused between them. See #63305739 – Shuman 7/8, 2020 at 16:9

Thank you for the follow up @astromme, could you add which was the sanitized name of the SA that you added the permissions? – Wayside 7/8, 2020 at 16:56

I added the permissions to [email protected] – Shuman 8/8, 2020 at 18:43

To get tasks working from a function, you need to add four roles to the firebase-adminsdk-*****@my-project-id.iam.gserviceaccount.com Principal: Cloud Functions Admin, Cloud Tasks Admin, Cloud Tasks Queue Admin and Service Account User. Anything short of those four roles and triggering a task function from another function will not work. Technically you could add just the Editor role, but that adds way more permissions than needed.

Google's documentation on this is a disaster.

Nucleolus answered 2/3, 2023 at 22:28 Comment(0)

Recommended topics

Hot tags