firebase init functions fails with unnessary and useless error message "Error: HTTP Error: 403, The caller does not have permission"

[abdulmoeedammar]

[REQUIRED] Environment info

firebase-tools:
8.9.0

Platform:
Windows

[REQUIRED] Test case

Running firebase init functions results in "Error: HTTP Error: 403, The caller does not have permission" when the user has following roles:

• Firebase Develop Admin
• Cloud Functions Admin
• Service Account User

And there is no information which permission is missing either in the firebase documentation nor in the output of firebase CLI.

Also, it still fails even though the APIs (cloudfunctions.googleapis.com & runtimeconfig.googleapis.com) are already enabled for the project.

[REQUIRED] Steps to reproduce

1. Create a firebase project
2. Invite another user and assign him Firebase Develop Admin, Cloud Functions Admin & Service Account User roles.
3. Login with this new user in firebase login
4. Run firebase init functions
5. Use existing project and select this project.

[REQUIRED] Expected behavior

firebase init functions should run successfully if they required APIs are enabled already, and otherwise fail if the current user doesn't have required permission to enable the required APIs.

But even in case of failure there must be enough information for the user to solve the issue. i.e. giving user details about required APIs so that he can ask the project Owner to enable them, also informing user which permission/role is require to automatically enable the APIs.

[REQUIRED] Actual behavior

It fails with "Error: HTTP Error: 403, The caller does not have permission", which tells almost nothing about actual issue and how to resolve the problem.

[2020-08-26T13:58:09.436Z] > command requires scopes: ["email","openid","https://www.googleapis.com/auth/cloudplatformprojects.readonly","https://www.googleapis.com/auth/firebase","https://www.googleapis.com/auth/cloud-platform"]
[2020-08-26T13:58:09.678Z] > authorizing via signed-in user

     ######## #### ########  ######## ########     ###     ######  ########
     ##        ##  ##     ## ##       ##     ##  ##   ##  ##       ##
     ######    ##  ########  ######   ########  #########  ######  ######
     ##        ##  ##    ##  ##       ##     ## ##     ##       ## ##
     ##       #### ##     ## ######## ########  ##     ##  ######  ########

You're about to initialize a Firebase project in this directory:

  C:\Users\abdul\OneDrive\Documents\Work\firebase-test

? Are you ready to proceed? Yes

=== Project Setup

First, let's associate this project directory with a Firebase project.
You can create multiple project aliases by running firebase use --add,
but for now we'll just set up a default project.

? Please select an option: Use an existing project
[2020-08-26T13:58:20.684Z] >>> HTTP REQUEST GET https://firebase.googleapis.com/v1beta1/projects?pageSize=100

[2020-08-26T13:58:21.351Z] <<< HTTP RESPONSE 200 {"content-type":"application/json; charset=UTF-8","vary":"X-Origin, Referer, Origin,Accept-Encoding","date":"Wed, 26 Aug 2020 13:58:22 GMT","server":"ESF","cache-control":"private","x-xss-protection":"0","x-frame-options":"SAMEORIGIN","x-content-type-options":"nosniff","alt-svc":"h3-29=\":443\"; ma=2592000,h3-27=\":443\"; ma=2592000,h3-T050=\":443\"; ma=2592000,h3-Q050=\":443\"; ma=2592000,h3-Q046=\":443\"; ma=2592000,h3-Q043=\":443\"; ma=2592000,quic=\":443\"; ma=2592000; v=\"46,43\"","accept-ranges":"none","transfer-encoding":"chunked"}
? Select a default Firebase project for this directory: exceeders-app-staging (Exceeders App Staging)
i  Using project exceeders-app-staging (Exceeders App Staging)

=== Functions Setup

A functions directory will be created in your project with a Node.js
package pre-configured. Functions can be deployed with firebase deploy.

[2020-08-26T13:58:23.956Z] > command requires scopes: ["email","openid","https://www.googleapis.com/auth/cloudplatformprojects.readonly","https://www.googleapis.com/auth/firebase","https://www.googleapis.com/auth/cloud-platform"]
[2020-08-26T13:58:23.980Z] > authorizing via signed-in user
[2020-08-26T13:58:23.985Z] [iam] checking project exceeders-app-staging for permissions ["firebase.projects.get"]
[2020-08-26T13:58:24.016Z] >>> HTTP REQUEST POST https://cloudresourcemanager.googleapis.com/v1/projects/exceeders-app-staging:testIamPermissions
 {"permissions":["firebase.projects.get"]}
[2020-08-26T13:58:25.578Z] <<< HTTP RESPONSE 200 {"content-type":"application/json; charset=UTF-8","vary":"X-Origin, Referer, Origin,Accept-Encoding","date":"Wed, 26 Aug 2020 13:58:26 GMT","server":"ESF","cache-control":"private","x-xss-protection":"0","x-frame-options":"SAMEORIGIN","x-content-type-options":"nosniff","server-timing":"gfet4t7; dur=1190","alt-svc":"h3-29=\":443\"; ma=2592000,h3-27=\":443\"; ma=2592000,h3-T051=\":443\"; ma=2592000,h3-T050=\":443\"; ma=2592000,h3-Q050=\":443\"; ma=2592000,h3-Q046=\":443\"; ma=2592000,h3-Q043=\":443\"; ma=2592000,quic=\":443\"; ma=2592000; v=\"46,43\"","accept-ranges":"none","transfer-encoding":"chunked"}
[2020-08-26T13:58:25.604Z] >>> HTTP REQUEST POST https://serviceusage.googleapis.com/v1/projects/exceeders-app-staging/services/cloudfunctions.googleapis.com:enable

[2020-08-26T13:58:25.611Z] >>> HTTP REQUEST POST https://serviceusage.googleapis.com/v1/projects/exceeders-app-staging/services/runtimeconfig.googleapis.com:enable

[2020-08-26T13:58:27.347Z] <<< HTTP RESPONSE 403 {"vary":"X-Origin, Referer, Origin,Accept-Encoding","content-type":"application/json; charset=UTF-8","date":"Wed, 26 Aug 2020 13:58:28 GMT","server":"ESF","cache-control":"private","x-xss-protection":"0","x-frame-options":"SAMEORIGIN","x-content-type-options":"nosniff","alt-svc":"h3-29=\":443\"; ma=2592000,h3-27=\":443\"; ma=2592000,h3-T050=\":443\"; ma=2592000,h3-Q050=\":443\"; ma=2592000,h3-Q046=\":443\"; ma=2592000,h3-Q043=\":443\"; ma=2592000,quic=\":443\"; ma=2592000; v=\"46,43\"","accept-ranges":"none","transfer-encoding":"chunked"}
[2020-08-26T13:58:27.355Z] <<< HTTP RESPONSE BODY {"error":{"code":403,"message":"The caller does not have permission","status":"PERMISSION_DENIED"}}
[2020-08-26T13:58:27.446Z] <<< HTTP RESPONSE 403 {"vary":"X-Origin, Referer, Origin,Accept-Encoding","content-type":"application/json; charset=UTF-8","date":"Wed, 26 Aug 2020 13:58:28 GMT","server":"ESF","cache-control":"private","x-xss-protection":"0","x-frame-options":"SAMEORIGIN","x-content-type-options":"nosniff","alt-svc":"h3-29=\":443\"; ma=2592000,h3-27=\":443\"; ma=2592000,h3-T050=\":443\"; ma=2592000,h3-Q050=\":443\"; ma=2592000,h3-Q046=\":443\"; ma=2592000,h3-Q043=\":443\"; ma=2592000,quic=\":443\"; ma=2592000; v=\"46,43\"","accept-ranges":"none","transfer-encoding":"chunked"}
[2020-08-26T13:58:27.464Z] <<< HTTP RESPONSE BODY {"error":{"code":403,"message":"The caller does not have permission","status":"PERMISSION_DENIED"}}

Error: HTTP Error: 403, The caller does not have permission
[2020-08-26T13:58:27.702Z] Error Context: {
  "body": {
    "error": {
      "code": 403,
      "message": "The caller does not have permission",
      "status": "PERMISSION_DENIED"
    }
  },
  "response": {
    "statusCode": 403,
    "body": {
      "error": {
        "code": 403,
        "message": "The caller does not have permission",
        "status": "PERMISSION_DENIED"
      }
    },
    "headers": {
      "vary": "X-Origin, Referer, Origin,Accept-Encoding",
      "content-type": "application/json; charset=UTF-8",
      "date": "Wed, 26 Aug 2020 13:58:28 GMT",
      "server": "ESF",
      "cache-control": "private",
      "x-xss-protection": "0",
      "x-frame-options": "SAMEORIGIN",
      "x-content-type-options": "nosniff",
      "alt-svc": "h3-29=\":443\"; ma=2592000,h3-27=\":443\"; ma=2592000,h3-T050=\":443\"; ma=2592000,h3-Q050=\":443\"; ma=2592000,h3-Q046=\":443\"; ma=2592000,h3-Q043=\":443\"; ma=2592000,quic=\":443\"; ma=2592000; v=\"46,43\"",
      "accept-ranges": "none",
      "transfer-encoding": "chunked"
    },
    "request": {
      "uri": {
        "protocol": "https:",
        "slashes": true,
        "auth": null,
        "host": "serviceusage.googleapis.com",
        "port": 443,
        "hostname": "serviceusage.googleapis.com",
        "hash": null,
        "search": null,
        "query": null,
        "pathname": "/v1/projects/exceeders-app-staging/services/runtimeconfig.googleapis.com:enable",
        "path": "/v1/projects/exceeders-app-staging/services/runtimeconfig.googleapis.com:enable",
        "href": "https://serviceusage.googleapis.com/v1/projects/exceeders-app-staging/services/runtimeconfig.googleapis.com:enable"
      },
      "method": "POST"
    }
  }
}

[samtstern]

@abdulmoeedammar thanks for the feedback!

@mbleigh I don't know enough about IAM to address this ... can a user who doesn't have permission to enable APIs check if they are enabled?

[abdulmoeedammar]

@samtstern I tested it and the user who is getting error when enabling the APIs is able to check the status.

I tested this by calling ensure instead of enable method (which are defined in ensureAPIEnabled.js).

This works almost perfectly, so I believe this is the only change required to fix this issue.

[hosaka]

Was having the same issue today. Another developer with the same permission list as described by OP, calling firebase init functions in a project that had functions configured previously. We were getting the same 403 error. Solved, if I can say that, by making another dev the "Owner" of the Firebase project in the firebase dashboard.

[dnmeyer06]

Hello, any update on this issue? I'm experiencing the same problem.