Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DOCS] for sample: taskqueues-backup-images, not clear how to set up "impersonation" permission #1088

Open
gazialankus opened this issue May 25, 2023 · 2 comments

Comments

@gazialankus
Copy link

gazialankus commented May 25, 2023

Which sample?

taskqueues-backup-images IAM Policy

What is the issue with this sample's docs?

In https://firebase.google.com/docs/functions/task-functions?gen=2nd#iam_permissions and https://github.com/firebase/functions-samples/tree/main/Node/taskqueues-backup-images#iam-policy

there are three steps to give the appropriate permissions so one can start a task from a Firebase Function. I'm trying to follow the 2nd gen version.

I created everything, but I'm lost in the second step in this IAM Policy section, namely:

Please follow Google Cloud IAM documentation to add App Engine default service account as user of App Engine default service account.

I tried to do that, but it was impossible to figure out. One of the nice things about Firebase Functions is that you can get started with something without being a cloud expert, and I'm expecting a step-by-step guide here.

In the docs, it links to Service account impersonation, which seems impossible for me to figure out without wrapping my head around many technologies...

I believe this is a major gap in documentation here. Could you provide what exactly we need to do in this example to simply have this long running task execute?

Is it easier in 1st gen? If so I'll try that. But it has the same docs about permissions so I doubt that. Please help!

@gazialankus
Copy link
Author

I have enabled logs for the task and I'm getting a 401

{
  "textPayload": "The request was not authorized to invoke this service. Read more at https://cloud.google.com/run/docs/securing/authenticating Additional troubleshooting documentation can be found at: https://cloud.google.com/run/docs/troubleshooting#401",
  "insertId": "646f8e03000a6f22b18e5817",
  "httpRequest": {
    "requestMethod": "POST",
    "requestUrl": "...",
    "requestSize": "1575",
    "status": 401,
    "userAgent": "Google-Cloud-Tasks",
    "remoteIp": "35.243.23.219",
    "serverIp": "216.239.36.54",
    "latency": "0s",
    "protocol": "HTTP/1.1"
  },
  "resource": {
    "type": "cloud_run_revision",
    "labels": {
      "configuration_name": "synchronizetask",
      "revision_name": "synchronizetask-00003-doq",
      "service_name": "synchronizetask",
      "project_id": "...",
      "location": "us-central1"
    }
  },
  "timestamp": "2023-05-25T16:34:11.682815Z",
  "severity": "WARNING",
  "labels": {
    "goog-managed-by": "cloudfunctions"
  },
  "logName": "projects/.../logs/run.googleapis.com%2Frequests",
  "trace": "projects/.../traces/36c6c7d9ced30537f7ee2925be9bd7ad",
  "receiveTimestamp": "2023-05-25T16:34:11.694423190Z",
  "spanId": "8111407204631128905"
}

@gazialankus
Copy link
Author

What worked for me was to go to Cloud Functions in Google Cloud Console, select the task function that was created with onTaskDispatched, and give Cloud Functions Admin role to the Firebase Service Account. I hope this helps someone. This was a very easy thing to do and docs were unnecessarily cryptic. If this is too broad of a permission, it is upon the docs authors to clearly present what's needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant