Search code examples
firebasegoogle-cloud-platformfirebase-authenticationgoogle-cloud-functionsgoogle-identity

Google Cloud Platform before user created function not showing up in firebase auth/gcp identity to register

Context

I have created a cloud-blocking function (beforeUserCreated) through the Firebase CLI (and the v2 identity Firebase API), this has deployed successfully and can be seen on both Firebase and GCP functions.

On Firebase, it recognises the trigger as before user created firebase trigger

Problem

When I go to register the blocking function (in either Firebase auth or GCP identity) it doesn't give me the choice of selecting the uploaded function, which means the function does not run before user creation.

No selection available

Expected Outcome

According to these docs, the setup that I have completed should be enough to get this to appear as an option when choosing a function for before account creation (either in Firebase authentication->settings->blocking functions or GCP Identity->settings->triggers).

Attempted Solutions

  • Giving appropriate Firebase service accounts the cloud-run invoker role and the cloud functions invoker role as well as Firebase authentication & GCP identity roles (found here)
  • Deleting and recreating the function (and trying to update it)
  • Followed this guide for giving permissions to the correct principals (for the 2nd gen functions)
  • Double checked that the service ACC I'm using for the function is the same as the service acc that has the permissions
  • Ensured that Firebase authentication with Identity platform was enabled

I have also tried just creating accounts to see if even though I can't register it that it is already working.

The only hint I have is this warning: enter image description here

However that learn more article is the same as the one I've already followed.

Solution

  • tl;dr

    I know I am late here but it is currently not possible to use 2nd gen function as a blocking function (to assign the trigger). That's why you don't see that in the dropdown.

    Use the 1st gen functions as triggers.

    More info

    I searched in the docs, there is no mentioning about this in docs, probably forgotten. The only docs I found some indications in was this: https://cloud.google.com/functions/docs/calling#2nd-gen-triggers.

    You can see the note there mentioning Firebase Auth (which has the same backend). It is not Identity platform tho and even more interesting is the fact that these blocking functions apparently use HTTP triggers, so there is not much sense in this.

    You can see that yourself. When you click "CREATE FUNCTION" in the dropdown (the one that doesn't display your functions and says "none"), it will only allow you to select regions of 1st gen functions. This therefore tells you, though implicitly, that you can only have 1st gen functions there.

    I found out the hard way today as well. I tried to deploy to europe-west4 (only for 2nd gen functions). So I had to switch to the 1st gen and europe-west3.