When using Cloud Functions for Firebase you might run into the following error when trying to create a custom token:
'The caller does not have p...
For further actions, you may consider blocking this person and/or reporting abuse
Thanks for posting this, as it's the only fix I've found for this very specific issue anywhere.
I was having issues where my local version was creating a token without an issue (I checked and that service account has the Service Account Token Creator permissions), but production was giving that exact error.
I did what you suggested but I'm still getting that issue. In Firebase it is saying that the Firebase Service Account is not the one you pointed to. But that already has permissions. Any ideas what to do if even THIS doesn't work? :) Thanks!
Not sure but maybe you have the service account from your dev environment in production? In the IAM permissions console, double-check what email address is showing up in the "Member" column for the row with "name: firebase-adminsdk" and "role: Service Account Token Creator".
Your email address should be something like this:
firebase-adminsdk-RANDOMCODE@PROJECT-NAME.iam.gserviceaccount.com.If you have the correct value there, then maybe contact Firebase Support. They're usually pretty responsive.
Hey Marc, did you solve the issue? I'm facing the same problem.
I do have Service Account Token Creator set both firebase-adminsdk-RANDOMCODE@PROJE.... (already set before) and Google Cloud Functions Service Agent. My functions are working normally, but this one for creating custom token doesn't.
same here
For me, it only worked when I started try adding the "Service Account Token Creator" role for each one of the members. It seams to did work after adding to myself (the owner)
I was having the same issue, and I finally solved it by adding the "Service Account Token Creator" role to the "App Engine default service account" (PROJECT-ID@appspot.gserviceaccount...). I'm not sure why my cloud function is picking up that account instead of the "Google Cloud Functions Service Agent" but that solved this painful issue for me.
This did work for me too
Thanks!!!
Thanks for posting this, helped me narrow down the issue much more quickly.
Interestingly this issue is actually referred to in the docs:
In the docs, they suggest that it's the
user that needs updating, though like others, my project seems to be using an unexpected user as mine uses
and I do mean {project-id} and not {project-name} !!
No idea why it is using this one or if this is configurable somewhere, but for anyone else landing here, if adding the permission to a user that makes sense doesn't work, it's worth going through testing the various service accounts one at a time to find the one that works.
There perhaps is a more clever way of determining the user, perhaps outputting it to the logs somehow. But there we are.
Thanks @will Ceolin
it worked
Make sure to tick the "Include Google-provided role grants" when searching. This worked for me.