DEV Community 👩‍💻👨‍💻

Will Ceolin
Will Ceolin

Posted on • Updated on

Permission error when generating a custom token on Cloud Functions

When using Cloud Functions for Firebase you might run into the following error when trying to create a custom token:

'The caller does not have permission; Please refer to for more details on how to use and troubleshoot this feature.' }
Enter fullscreen mode Exit fullscreen mode

This is happening when you call admin.auth().createCustomToken(uid) and Cloud Functions don't have the required permissions.

You can change permissions by doing the following steps:

  • Go to the Google Cloud Console - IAM permissions.
  • Find the "Google Cloud Functions Service Agent" service account.
  • Click on the edit (pencil) icon.
  • Click on "Add another role"
  • Search and add the "Service Account Token Creator" role.

It might seem pretty straightforward but I wasted some time because I was debugging the wrong service account (the one for the Admin SDK). So, make sure you've selected the "Google Cloud Functions Service Agent" option.

Follow me on Twitter

Top comments (10)

quantafire profile image
Marc Quinn

Thanks for posting this, as it's the only fix I've found for this very specific issue anywhere.

I was having issues where my local version was creating a token without an issue (I checked and that service account has the Service Account Token Creator permissions), but production was giving that exact error.

I did what you suggested but I'm still getting that issue. In Firebase it is saying that the Firebase Service Account is not the one you pointed to. But that already has permissions. Any ideas what to do if even THIS doesn't work? :) Thanks!

wceolin profile image
Will Ceolin Author

Not sure but maybe you have the service account from your dev environment in production? In the IAM permissions console, double-check what email address is showing up in the "Member" column for the row with "name: firebase-adminsdk" and "role: Service Account Token Creator".

Your email address should be something like this:

If you have the correct value there, then maybe contact Firebase Support. They're usually pretty responsive.

rmathias86 profile image
Rodrigo Mathias

Hey Marc, did you solve the issue? I'm facing the same problem.
I do have Service Account Token Creator set both firebase-adminsdk-RANDOMCODE@PROJE.... (already set before) and Google Cloud Functions Service Agent. My functions are working normally, but this one for creating custom token doesn't.

alynva profile image
Alisson Nunes

same here

Thread Thread
alynva profile image
Alisson Nunes

For me, it only worked when I started try adding the "Service Account Token Creator" role for each one of the members. It seams to did work after adding to myself (the owner)

elyngved profile image
Erik Lyngved • Edited on

I was having the same issue, and I finally solved it by adding the "Service Account Token Creator" role to the "App Engine default service account" (PROJECT-ID@appspot.gserviceaccount...). I'm not sure why my cloud function is picking up that account instead of the "Google Cloud Functions Service Agent" but that solved this painful issue for me.

julienreszka profile image
Julien Henri RESZKA

This did work for me too

kobayashiharuto profile image


dominicks profile image
dominic-ks • Edited on

Thanks for posting this, helped me narrow down the issue much more quickly.

Interestingly this issue is actually referred to in the docs:

In the docs, they suggest that it's the

  • {project-name}

user that needs updating, though like others, my project seems to be using an unexpected user as mine uses

  • {project-id}

and I do mean {project-id} and not {project-name} !!

No idea why it is using this one or if this is configurable somewhere, but for anyone else landing here, if adding the permission to a user that makes sense doesn't work, it's worth going through testing the various service accounts one at a time to find the one that works.

There perhaps is a more clever way of determining the user, perhaps outputting it to the logs somehow. But there we are.

naveenrawat51 profile image

Thanks @will Ceolin

it worked

🌚 Life is too short to browse without dark mode