DEV Community

Will Ceolin
Will Ceolin

Posted on • Updated on

Permission error when generating a custom token on Cloud Functions

When using Cloud Functions for Firebase you might run into the following error when trying to create a custom token:

'The caller does not have permission; Please refer to https://firebase.google.com/docs/auth/admin/create-custom-tokens for more details on how to use and troubleshoot this feature.' }
Enter fullscreen mode Exit fullscreen mode

This is happening when you call admin.auth().createCustomToken(uid) and Cloud Functions don't have the required permissions.

You can change permissions by doing the following steps:

  • Go to the Google Cloud Console - IAM permissions.
  • Find the "Google Cloud Functions Service Agent" service account.
  • Click on the edit (pencil) icon.
  • Click on "Add another role"
  • Search and add the "Service Account Token Creator" role.

It might seem pretty straightforward but I wasted some time because I was debugging the wrong service account (the one for the Admin SDK). So, make sure you've selected the "Google Cloud Functions Service Agent" option.


Follow me on Twitter

Top comments (11)

Collapse
 
quantafire profile image
Marc Quinn

Thanks for posting this, as it's the only fix I've found for this very specific issue anywhere.

I was having issues where my local version was creating a token without an issue (I checked and that service account has the Service Account Token Creator permissions), but production was giving that exact error.

I did what you suggested but I'm still getting that issue. In Firebase it is saying that the Firebase Service Account is not the one you pointed to. But that already has permissions. Any ideas what to do if even THIS doesn't work? :) Thanks!

Collapse
 
wceolin profile image
Will Ceolin

Not sure but maybe you have the service account from your dev environment in production? In the IAM permissions console, double-check what email address is showing up in the "Member" column for the row with "name: firebase-adminsdk" and "role: Service Account Token Creator".

Your email address should be something like this: firebase-adminsdk-RANDOMCODE@PROJECT-NAME.iam.gserviceaccount.com.

If you have the correct value there, then maybe contact Firebase Support. They're usually pretty responsive.

Collapse
 
rmathias86 profile image
Rodrigo Mathias

Hey Marc, did you solve the issue? I'm facing the same problem.
I do have Service Account Token Creator set both firebase-adminsdk-RANDOMCODE@PROJE.... (already set before) and Google Cloud Functions Service Agent. My functions are working normally, but this one for creating custom token doesn't.

Collapse
 
alynva profile image
Alisson Nunes

same here

Thread Thread
 
alynva profile image
Alisson Nunes

For me, it only worked when I started try adding the "Service Account Token Creator" role for each one of the members. It seams to did work after adding to myself (the owner)

Collapse
 
elyngved profile image
Erik Lyngved • Edited

I was having the same issue, and I finally solved it by adding the "Service Account Token Creator" role to the "App Engine default service account" (PROJECT-ID@appspot.gserviceaccount...). I'm not sure why my cloud function is picking up that account instead of the "Google Cloud Functions Service Agent" but that solved this painful issue for me.

Collapse
 
julienreszka profile image
Julien Henri RESZKA

This did work for me too

Collapse
 
kobayashiharuto profile image
GleamingCake

Thanks!!!

Collapse
 
dominicks profile image
dominic-ks • Edited

Thanks for posting this, helped me narrow down the issue much more quickly.

Interestingly this issue is actually referred to in the docs:

In the docs, they suggest that it's the

  • {project-name}@appspot.gserviceaccount.com

user that needs updating, though like others, my project seems to be using an unexpected user as mine uses

  • {project-id}@cloudbuild.gserviceaccount.com

and I do mean {project-id} and not {project-name} !!

No idea why it is using this one or if this is configurable somewhere, but for anyone else landing here, if adding the permission to a user that makes sense doesn't work, it's worth going through testing the various service accounts one at a time to find the one that works.

There perhaps is a more clever way of determining the user, perhaps outputting it to the logs somehow. But there we are.

Collapse
 
naveenrawat51 profile image
naveenrawat51@gmail.com

Thanks @will Ceolin

it worked

Collapse
 
jcadkins profile image
Jordy Adkins

Make sure to tick the "Include Google-provided role grants" when searching. This worked for me.