'An error occurred when trying to authenticate to the FCM servers' on Firebase Cloud Functions

Asked 3/6, 2022 at 20:6 Answered 10/3, 2023 at 12:30

Solved typescript firebase google-cloud-functions firebase-cloud-messaging firebase-admin

I'm trying to send a message to a topic with FCM in a Firebase Cloud Function triggered when a Firestore document (a message) is created. Subscribing to the topic (also done with Functions) and triggering the send function works fine, but the actual send fails with:

Error: An error occurred when trying to authenticate to the FCM servers. Make sure the credential used to authenticate this SDK has the proper permissions. See https://firebase.google.com/docs/admin/setup for setup instructions.

and some raw HTML containing <H1>PROJECT_NOT_PERMITTED</H1> and <H1>PROJECT_NOT_PERMITTED</H1> .

Here is my code (index.ts):

import * as admin from 'firebase-admin';

admin.initializeApp({
    credential: admin.credential.applicationDefault(),
});

export * from './messages';

and (messages.ts):

import * as admin from 'firebase-admin';
import * as functions from 'firebase-functions';

export const publishMessage = functions
  .firestore.document('/messages/{messageId}').onCreate(
    (snapshot, context) => {
      const data = snapshot.data();
      const message = {
        notification: {
          title: `${data.sentBy} sent a message`,
          body: data.message,
        },
      };

      return admin.messaging().sendToTopic('messages', message);
    },
  );

According to https://firebase.google.com/docs/cloud-messaging/auth-server#provide-credentials-using-adc this should work. I have also tried doing it without any parameters (https://firebase.google.com/docs/admin/setup#initialize-without-parameters) but it fails all the same. What am I missing?

Qualm answered 3/6, 2022 at 20:6 Comment(3)

Can you confirm that you are using an active service account? – Kloster 6/6, 2022 at 6:43

As far as I know I do. This is a brand new Firebase project and a service account for it is created. When I go to Google Cloud Console to IAM & Admin -> Service Accounts I see two: firebase-adminsdk-xxxxx@<projectId>.iam.gserviceaccount.com and <projectId>@appspot.gserviceaccount.com and both are enabled. Neither of them has any keyss but this should not be necessary, right? – Qualm 7/6, 2022 at 12:46

Yes, it should not matter, what's important is the roles that is included in your <projectId>@appspot.gserviceaccount.com. I've posted an answer to further discuss this. – Kloster 8/6, 2022 at 2:39

Turns out that instead of this

      const message = {
        notification: {
          title: `${data.sentBy} sent a message`,
          body: data.message,
        },
      };

      return admin.messaging().sendToTopic('messages', message);

I needed this:

      const message = {
        notification: {
          title: `${data.sentBy} sent a message`,
          body: data.message,
        },
        topic: 'messages',
      };

      return admin.messaging().send('messages', message);

Qualm answered 25/6, 2022 at 2:47 Comment(0)

you can do enable Cloud Messaging API (Legacy) in Project settings/Cloud Messaging

https://i.sstatic.net/ElwpB.png

Godden answered 26/6, 2022 at 10:26 Comment(1)

Thanks, this will also fix the issue I'm having, although I prefer not to start the project with a legacy FCM setup. See my own answer how to change the code for it work properly. – Qualm 26/6, 2022 at 21:10

This is because Google Firebase versions changed and admin.messaging().sendToDevice() no longer works out of the box.

Now following works well:

var admin = require("firebase-admin");
var serviceAccount = require('./xxx.json');

admin.initializeApp({
  credential: admin.credential.cert(serviceAccount),
});

const registrationToken = 'fKuD...';

const message = {
  token: registrationToken,
  notification: {
    title: "FCM IS COOL !",
    body: "Notification has been recieved",
    imageUrl: "https://i.ytimg.com/vi/iosNuIdQoy8/maxresdefault.jpg"
  }
}

admin.messaging().send(message);

Note databaseURL in firebase-admin is no longer needed. Just private key you download in Firebase Console.

Shogun answered 15/2, 2023 at 9:58 Comment(0)

In my case, enabling API solved the issue. Seems like by default only Firebase Cloud Messaging API is enabled but Cloud Messaging API is not enabled. You need to enable that one from APIs page and it will solve the issue

Goings answered 10/3, 2023 at 12:30 Comment(1)

How this is a thing I don't know but it definitely works – Spaghetti 24/8, 2023 at 21:35

After removing the (roles/firebase.admin) in my <projectId>@appspot.gserviceaccount.com, I also encountered your error:

Since the <projectId>@appspot.gserviceaccount.com service account is being used by Firebase Cloud Functions. Roles and permissions added to this service account carry over to the Cloud Functions runtime.

As you've already stated, you have <projectId>@appspot.gserviceaccount.com, make sure that it has a (roles/firebase.admin), and according to this documentation, it has a full access for cloudmessaging.* permission.

After I re-added the <projectId>@appspot.gserviceaccount.com and the correspoding (roles/firebase.admin):

I've tried adding another Firestore document to test the function (after 10 minutes or so) just to make sure that the changes in my permissions have taken effect:

For other options, you can also try to add the:

Firebase Grow Admin (roles/firebase.growthAdmin);
Or you can try the beta of Firebase Cloud Messaging API Admin (roles/firebasecloudmessaging.admin) since it also has cloudmessaging.* permission.

You can also check the other roles with it's corresponding permissions.

Kloster answered 8/6, 2022 at 2:37 Comment(4)

I added the role to both accounts and nothing changed. I also don't understand why I would need to do this as I never disabled or deleted anything, I have a fresh Firebase project. – Qualm 9/6, 2022 at 0:1

I've updated my answer and provided screenshots, and the steps I've done in order to replicate your error and find a solution. – Kloster 9/6, 2022 at 1:35

I retested it and also waited about 20 minutes (didn't wait in my previous test) but it doesn't change anything, unfortunately. – Qualm 9/6, 2022 at 12:30

Since my proposed solution didn't resolve your issue, you can file a support ticket directly to Firebase Support. – Kloster 10/6, 2022 at 6:48

Recommended topics

Hot tags