114

I just made a firebase cloud function :

exports.deleteAfterSevenDays = functions.https.onRequest((req, res) => {...

I deployed the function and got a function URL. When I request this url from my browser I get the following message :

"Error: Forbidden Your client does not have permission to get URL /200 from this server."

I have just updated to firebase Blaze plan because I thought there were limitations with Spark plan, but it still doesn't work.

In my firebase cloud function logs it is written "Function execution took 572 ms, finished with status code: 302".

My cron job "has been disabled automatically because of too many failed executions".

Do you see what's wrong?

AdrianHHH
  • 13,492
  • 16
  • 50
  • 87
Alex9494
  • 1,588
  • 3
  • 12
  • 22
  • Hi @Alex9494 did you manage to solve this one? Cheers. – Ivan Apr 30 '18 at 22:53
  • Hi Ivan not yet but I do intend to solve it "soon"... The first who gets the answer gives it to the other one ! ;) – Alex9494 May 03 '18 at 15:09
  • Seems I found the cause of my problem. It was simply a crash in the function I was invoking. Once I fixed it, request started to return 200. – Ivan May 03 '18 at 22:35
  • It was an issue in my firebase cloud function code as well. Terminate HTTP functions with res.redirect(), res.send(), or res.end() https://firebase.google.com/docs/functions/terminate-functions – Alex9494 Jul 10 '18 at 10:55

15 Answers15

159

Cloud function should have a role with member called "All users" to invoke this function from anywhere/anyone irrespective of an authorization.

Without Authorization:

  1. Go to the cloud function tab
  2. Select your cloud function (check box)
  3. Click "Add members" under Permissions tab in the right side
  4. Enter "allUsers" under "New memebers"
  5. Select Role as "Cloud Functions -> Cloud Functions Invoker"
  6. Save
  7. Test your cloud function by just pasting it in the browser

With Authorization:

It's always a good practice to set authorization on your cloud functions

Note: Cloud functions throwing error with "403 Forbidden - Your client does not have permission to get URL" should be called by authorized users.

Simple test:

  1. Click on Cloud shell(icon) terminal in the top of the page

  2. type: gcloud auth print-identity-token

  3. copy the generated token

  4. forming Authorization key to be passed while calling cloud function

    4.1 Authorization: bearer generated_token

  5. Use above Authorization key while calling your cloud function

Note:

  1. Never make a cloud function available to allUsers
Blundell
  • 75,855
  • 30
  • 208
  • 233
suresh
  • 1,977
  • 1
  • 8
  • 8
  • 1
    I tried with the Authorization, but the token seems to be expiring. I could not use the same token from yesterday :( – hamedazhar Apr 22 '20 at 05:45
  • 1
    This token is the idToken - it is valid only 3600 seconds, after that you should update it. Documentation https://firebase.google.com/docs/auth/admin/manage-sessions – awaik Apr 25 '20 at 05:37
  • 6
    Note that this is the Google Cloud interface to the Functions, not the Firebase interface -- go to : https://console.cloud.google.com/functions – kris May 26 '20 at 13:48
  • 7
    If we generate token using the above suggested method, it will be valid only 1 hr. Then, we can't use same token again. Is there any way to generate permanent token so that cloud function will work as long as correct token is being provided? – Sandokan Jun 22 '21 at 17:43
  • 2
    If you suggest to "Never make a cloud function available to allUsers" what's the best practice for authentication then? Do you recommend to generate a token for every request made to ones functions? Isn't it sufficient to use Firebase Auth within the function and simply set the access for the API to "allUsers"? – Josef Büttgen Sep 17 '21 at 12:16
  • Thanks! It worked perfectly! BTW, I was facing CORS errors on the browser console. I had the described error (in the question) while trying on Postman. Your answer helped a lot. – moreirapontocom Jul 19 '22 at 19:01
52

From Cloud Function docs:

Caution: New HTTP and HTTP callable functions deployed with any Firebase CLI lower than version 7.7.0 are private by default and throw HTTP 403 errors when invoked. Either explicitly make these functions public, or update your Firebase CLI before you deploy any new functions.

In my case the CLI version was out of date. If you currently get the 403 error, try this:

  1. Delete your Cloud Functions
  2. Update Firebase CLI npm install -g firebase-tools
  3. Re-deploy your functions
basharovV
  • 527
  • 4
  • 4
  • 3
    That solved my problem. I installed the lastest firebase-tools, deleted my function on the FIrebase console and redeployed it. Et voilá. THANK YOU! – Marcelo Apr 26 '20 at 18:38
  • 2
    Besides updating cli, I had to enable unauthenticated function invocation as given here https://cloud.google.com/functions/docs/securing/managing-access-iam#allowing_unauthenticated_function_invocation – rahulserver May 11 '20 at 08:18
  • FFFFFFFF It works, I've made it work before just by changing the folder and name of the functions and was really weirded out by that. But deleting the functions and re-uploading works. I could add up too that yu should delete the "lib" folder if you're using firebase functions. Or your build folder. And then re-uploading. Thank you!!! – Tony Jara Mar 31 '22 at 14:04
  • 3
    Also, the new cloud functions permissions can be set up incorrectly if there is an error during first deployment - deleting the function and re-deploying fixed this for me – atablash Sep 18 '22 at 01:20
  • 1
    Do not pass this answer up. It still works as of March 2023 – Stephan Walters Mar 19 '23 at 00:20
45

To be clear:

  1. Go to your function (make sure your project is selected):

https://console.cloud.google.com/functions/details/us-central1/ssr

  1. Click Permissions Tab
  2. Click Add Permissions
  3. New Principals: allUsers
    Role: Cloud Functions Invoker

Done.

J

Jonathan
  • 3,893
  • 5
  • 46
  • 77
15

If you face this in 2020 it might also be due to a different access behaviour:

Note: As of January 15, 2020, HTTP functions require authentication by default. You can specify whether a function allows unauthenticated invocation at or after deployment.

https://cloud.google.com/functions/docs/securing/managing-access-iam#allowing_unauthenticated_function_invocation

Diolor
  • 13,181
  • 30
  • 111
  • 179
13

Changing the IAM role(Cloud Functions Invoker) for targeted cloud function to allUsers should solve this issue. https://console.cloud.google.com/functions

Manish YADAV
  • 155
  • 1
  • 3
  • 1
    I am having the same issue - can you please clarify what you mean by 'for targeted cloud function to allUsers'? – user2181948 Sep 19 '19 at 03:29
  • 2
    This looks to be a security risk? Can you please verify whether changing to allUsers does not have any security risks? – Nikhil Apr 05 '20 at 17:10
  • @Nikhil Not, always that you are dealing with public https functions and maybe custom handling auth inside them. – Karlo A. López Oct 29 '20 at 22:21
13

Here are the steps

  • Go the Google Cloud Console(Not Firebase Console) -> Search For Cloud Functions to see the list of functions
  • Click the checkbox next to the function to which you want to grant access.
  • Click Permissions at the top of the screen. The Permissions panel opens.
  • Click Add principal.
  • In the New principals field, type allUsers.
  • Select the role Cloud Functions > Cloud Functions Invoker from the
  • Select a role drop-down menu.
  • Click Save.
Kalyan Chakravarthy S
  • 716
  • 2
  • 7
  • 20
6

Enable access from Postman project:

  1. Open https://console.cloud.google.com/functions
  2. Open cloud shell (right top terminal icon)
  3. Write: gcloud auth print-identity-token
  4. Copy your token and open your Posman
  5. Right click on your collection -> Edit
  6. Authorization -> Choose type OAuth 2.0
  7. Paste your token in the Access Token

Note: You can do the same for a single request or folder.

genericUser
  • 4,417
  • 1
  • 28
  • 73
5

This might be far fetched but if you have interrupted a cloud function deployment, then redeployed the function (which lead to an error), and after that you redeployed the function successfully this could have caused the issue.

I am trying to reproduce, but simple deleting the function in the firebase console and redeploying worked for me.

dcts
  • 1,479
  • 15
  • 34
  • 2
    It isn't far-fetched, it happened to me. Steps: 1. deployed a function with a syntax error, got Cloud Errors is having issues error (wrong, sigh) 2. re-deployed with corrected code, thought everything was ok 3. saw stripe webhooks (which hit functions) were failing with `Your client does not have permission to get URL` 4. tried deploying functions again - didn't fix the error 4. found this post, deleted all functions, redeployed again - fixed – xaphod Dec 20 '21 at 18:40
5

it happens to me after i upgraded all NPM packages and then deployed... i delete all the functions from the cloude and re-deplyed them. it solve me this error immediately. without change permisions or any other cahnge

yehonatan yehezkel
  • 1,116
  • 18
  • 28
3
  1. Go to the cloud function tab
  2. Click thee dots on the right hand side of your function
  3. Click "Go to cloud run service" 2
  4. On Cloud run, click security tab
  5. Under Authentication Card, select "Allow unauthenticated invocations" 3
Cody
  • 41
  • 3
  • tried several options above with no luck. This one that worked for me (thanks @Cody) The wins of giving the zero vote new guy a go! – RumbleFish May 19 '23 at 06:10
1

Just incase anyone is encountering this and has tried all the permissions stuff above in Google Cloud Console...

In my scenario, it turns out I was trying to replace a very old function (like years old) with a new function of the same function name. I tried redeploying the function a few times but nothing worked.

I needed to delete the function manually from Google Cloud Console and then redeploy the function. This fixed the issue for me and likely blew out the cobwebs causing it to malfunction.

Hope this helps someone.

Kieran Goodary
  • 41
  • 4
1

In 2023

In my case, I just delete all functions/files that I have created and deploy/upload all files again.

enter image description here

then deploy again

enter image description here

then look like this

enter image description here

enter image description here

final result enter image description here

Deepak Singh
  • 749
  • 4
  • 16
0

I know this doesn't make sense, or not a real solution but I solved it by making my account an Owner of the Firebase project. It was working nice while I was Editor but stopped working suddenly and setting my account as Owner solved it for now.

I guess it has to do with certain account having proper access to the Service Account which is the actual interface with Firebase Functions and Google Cloud API.

Rami Alloush
  • 2,308
  • 2
  • 27
  • 33
  • I am also facing the same issue. I deployed a new cloud function to the firebase project today and I am not able to execute it. Giving exactly the same error. Existing functions present in the firebase project are working fine. So it looks like the issue is for recently newly deployed functions. – Nikhil Apr 05 '20 at 17:09
  • same problem here. can you guys find any solution? – Dulaj Madusanka Apr 23 '20 at 05:10
0

In my case, I made error in Postman when I typed Body of Request, I didn't switched format from Text to JSON.

Check that part.

Milan Stojadinovic
  • 31
  • 7
0

According to this page: https://firebase.google.com/docs/functions/http-events

Caution: New HTTP and HTTP callable functions deployed with any Firebase CLI lower than version 7.7.0 are private by default and throw HTTP 403 errors when invoked. Either explicitly make these functions public or update your Firebase CLI before you deploy any new functions.

You only need to create permissions if you are using old versions of the CLI, because they are by default private. Using newer versions >7.7.0, should not happen.

If this happens, run npm install -g firebase-tools to get the lastest CLI, go to your Firebase console, delete all the existing functions and deploy again.

For this case there is no need to do anything in google cloud console.

Pedro Luz
  • 2,694
  • 4
  • 44
  • 54