[DOCS] for sample: taskqueues-backup-images, not clear how to set up "impersonation" permission
gazialankus opened this issue · 2 comments
Which sample?
taskqueues-backup-images IAM Policy
What is the issue with this sample's docs?
In https://firebase.google.com/docs/functions/task-functions?gen=2nd#iam_permissions and https://github.com/firebase/functions-samples/tree/main/Node/taskqueues-backup-images#iam-policy
there are three steps to give the appropriate permissions so one can start a task from a Firebase Function. I'm trying to follow the 2nd gen version.
I created everything, but I'm lost in the second step in this IAM Policy section, namely:
Please follow Google Cloud IAM documentation to add App Engine default service account as user of App Engine default service account.
I tried to do that, but it was impossible to figure out. One of the nice things about Firebase Functions is that you can get started with something without being a cloud expert, and I'm expecting a step-by-step guide here.
In the docs, it links to Service account impersonation, which seems impossible for me to figure out without wrapping my head around many technologies...
I believe this is a major gap in documentation here. Could you provide what exactly we need to do in this example to simply have this long running task execute?
Is it easier in 1st gen? If so I'll try that. But it has the same docs about permissions so I doubt that. Please help!
I have enabled logs for the task and I'm getting a 401
{
"textPayload": "The request was not authorized to invoke this service. Read more at https://cloud.google.com/run/docs/securing/authenticating Additional troubleshooting documentation can be found at: https://cloud.google.com/run/docs/troubleshooting#401",
"insertId": "646f8e03000a6f22b18e5817",
"httpRequest": {
"requestMethod": "POST",
"requestUrl": "...",
"requestSize": "1575",
"status": 401,
"userAgent": "Google-Cloud-Tasks",
"remoteIp": "35.243.23.219",
"serverIp": "216.239.36.54",
"latency": "0s",
"protocol": "HTTP/1.1"
},
"resource": {
"type": "cloud_run_revision",
"labels": {
"configuration_name": "synchronizetask",
"revision_name": "synchronizetask-00003-doq",
"service_name": "synchronizetask",
"project_id": "...",
"location": "us-central1"
}
},
"timestamp": "2023-05-25T16:34:11.682815Z",
"severity": "WARNING",
"labels": {
"goog-managed-by": "cloudfunctions"
},
"logName": "projects/.../logs/run.googleapis.com%2Frequests",
"trace": "projects/.../traces/36c6c7d9ced30537f7ee2925be9bd7ad",
"receiveTimestamp": "2023-05-25T16:34:11.694423190Z",
"spanId": "8111407204631128905"
}
What worked for me was to go to Cloud Functions in Google Cloud Console, select the task function that was created with onTaskDispatched
, and give Cloud Functions Admin role to the Firebase Service Account. I hope this helps someone. This was a very easy thing to do and docs were unnecessarily cryptic. If this is too broad of a permission, it is upon the docs authors to clearly present what's needed.