Search code examples
node.jsfirebasegoogle-cloud-functionsgoogle-cloud-tasks

creating Google Cloud Task in a firebase function

I'm getting an error in the firebase console functions log when calling a firebase HTTP function that tries to create a task.

Error: 7 PERMISSION_DENIED: The principal (user or service account) lacks IAM permission "cloudtasks.tasks.create" for the resource "projects/my-gcloud-project-id/locations/us-central1/queues/myqueuename" (or the resource may not exist).

Maybe I'm confused between the gcloud id & location versus the firebase id & location?

EDIT: I have confirmed my location is us-central1 by running gcloud --project my-gcloud-project-id tasks locations list

Or maybe somehow I need to set up permissions?

My code:



const functions = require('firebase-functions');
const { CloudTasksClient } = require('@google-cloud/tasks')

const projectId = 'my-firebase-project-id';
const location = 'us-central1'
const queue = 'myqueuename'

exports.onFormSubmit = functions.https.onRequest(async (req, res) => {
  const tasksClient = new CloudTasksClient()
  const queuePath = tasksClient.queuePath('my-gcloud-project-id', location, queue);

  const url = `https://google.com/` // edited for stack overflow
  const delaySeconds = 5;
  console.log('delaying for ', delaySeconds, ' seconds');

  const task = {
      httpRequest: {
          httpMethod: 'POST',
          url,
          body: '',
          headers: {
              'Content-Type': 'application/json',
          },
      },
      scheduleTime: {
          seconds: delaySeconds
      }
  }

  const [ response ] = await tasksClient.createTask({ parent: queuePath, task })

  console.log('task name', response.name);
});
Solution

  • In order to create a Google Task you have to add the correct permissions on IAM, in this case as the error message is showing, you have to add the cloudtasks.tasks.create permission to the service account that is invoking the Cloud Function.

    This can be done by going inside the Cloud Console and then into IAM, search for the service account usually is something like service-project-number@gcf-admin-robot.iam.gserviceaccount.com (update: it was my-project-id@appspot.gserviceaccount.com) and add the required permission, if you have a role based permissions Cloud Tasks Enqueuer should be enough to create the tasks.