Firebase Admin Storage: The caller does not have permission

Question

I have a project that uses the default bucket on Firebase Admin.

I have the following line:

const [url] = await blob.getSignedUrl({ action: 'read', expires: Date.now() + 60 * 1000, contentType: mimetype })

When my HTTPS callable function is called, the line above throws the error bellow:

Unhandled error Error: The caller does not have permission
    at Gaxios._request (/workspace/node_modules/gaxios/build/src/gaxios.js:129:23)
    at processTicksAndRejections (internal/process/task_queues.js:95:5)
    at async Compute.requestAsync (/workspace/node_modules/google-auth-library/build/src/auth/oauth2client.js:368:18)
    at async GoogleAuth.signBlob (/workspace/node_modules/google-auth-library/build/src/auth/googleauth.js:655:21)
    at async sign (/workspace/node_modules/@google-cloud/storage/build/src/signer.js:97:35) {
  name: 'SigningError'
} 

What I am doing wrong?

Answer 1

• There is already an open GitHub issue on this. If this is exactly what you are looking for, you can go through the solution listed on GitHub issue which is :

  Go to your project's Cloud Console > IAM & admin > IAM, Find the App Engine default service account and add the Service Account Token Creator role to that member. This will allow your app to create signed public URLs to the images.

• If it did not work for you, try updating IAM roles. From the firebaseSA.json file look if the associated email has these roles:

  Firebase Admin SDK Administrator ,Service Agent, Service Account
  Token Creator ,Pub/Sub Publisher, Storage Admin
  

• If still it didn’t work for you, try running your application with another Service account that has all possible Cloud Storage permissions, does it work? If yes, it would mean that your current Service requires additional permissions to execute the function. You can check what permissions to give in the Cloud Storage IAM Roles