question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

ApiError: Forbidden

See original GitHub issue

I want to use cloud functions for various image operations (metadata, thumbnails, watermarking). Unfortunately, in all image-related samples I encounter error:

ApiError: Forbidden    
at new util.ApiError (/user_code/node_modules/@google-cloud/storage/node_modules/@google-cloud/common/src/util.js:107:10)     
at Object.parseHttpRespMessage (/user_code/node_modules/@google-cloud/storage/node_modules/@google-cloud/common/src/util.js:149:33)     
at Object.handleResp (/user_code/node_modules/@google-cloud/storage/node_modules/@google-cloud/common/src/util.js:124:18)     
at Duplexify.<anonymous> (/user_code/node_modules/@google-cloud/storage/src/file.js:711:21)    
at emitOne (events.js:96:13)    
at Duplexify.emit (events.js:188:7)     
at emitOne (events.js:96:13)     
at DestroyableTransform.emit (events.js:188:7)     
at emitOne (events.js:96:13)     
at Request.emit (events.js:188:7)

Storage rules

service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read;
      allow write: if request.auth != null;
    }
  }
}

I tried samples:

  • exif-images
  • convert-images
  • generate-thumbnail

I’m copy pasting index.js and package.json content without changes. Storage triggers are working, there is no error if image operations will not be executed ( in case of deletion event, or if image is already jpg in convert-images sample), but it will crash when line return bucket.file(filePath).download({destination: tempLocalFile}).then(() => { is reached.

Thanks in Advance.

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:8 (1 by maintainers)

github_iconTop GitHub Comments

7reactions
eltonnobregacommented, Dec 22, 2017

Hello, I’m going to describe in detail the problems you face so that you and other people do not go through it and the firebase team can fix the bugs.

I used “Image resizing using Node.js Stream and Sharp - Cloud Storage trigger” - link here.

It worked fine in the standard bucket. But when… I created a non-default Storage bucket (multiple storage buckets), in which the firebase functions did not work.

You have the following message: Code: ApiError: uplak-dev-a8ddc@appspot.gserviceaccount.com does not have storage.objects.get access to uplak-dev-photoup/profile/aEeQlUlW7adhDapiiUcFqXuncss1/photo.jpg. at Object.parseHttpRespMessage (/user_code/node_modules/@google-cloud/storage/node_modules/@google-cloud/common/src/util.js:161:33) at Object.handleResp (/user_code/node_modules/@google-cloud/storage/node_modules/@google-cloud/common/src/util.js:136:18) at Duplexify.self.requestStream.on.on.res (/user_code/node_modules/@google-cloud/storage/src/file.js:542:21) at emitOne (events.js:96:13) at Duplexify.emit (events.js:188:7) at emitOne (events.js:96:13) at DestroyableTransform.emit (events.js:188:7) at onResponse (/user_code/node_modules/@google-cloud/storage/node_modules/retry-request/index.js:189:19) at Request.<anonymous> (/user_code/node_modules/@google-cloud/storage/node_modules/retry-request/index.js:144:11) at emitOne (events.js:96:13)

Image: not-have-storage_objects_get-access

I’ve accessed google cloud storage to check the default and non-default bucke pemissions. Image of the default bucket permissions: permissions-default-bucket

Image of non-default bucket permissions: permissions-no-default-bucket

I added the “firebase-storage@system.gserviceaccount.com” permission to the “Storage Legacy Bucket Owner” but the problem continued.

I added “rebase-adminsdk-cbdca @ <Project-ID> .iam.gserviceaccount.com” to the “Storage Legacy Bucket Owner” but the problem continued.

I added “<Project-ID> @ appspot.gserviceaccount.com” to the “Storage Legacy Bucket Owner” but the problem continued.

The problem was solved when I added “<Project-ID> @ appspot.gserviceaccount.com” to the “Storage Admin”.

With this action happened another problem: The thumbnail created with firebase functions is not accessible in the firebase storage console.

When trying to see the thumbnail I see the following error in the browser console: Image: error-view-thumbnail

When trying to see the thumbnail when trying to download another error: Image: error-download-thumbnail

I solved the problem by adding “Owners of project: <Project-ID>” to “Storage Admin”.

I believe that when I used the “Storage Admin” permission for the firebase functions to execute, the function created a file with access allowed only for users with “Storage Admin” permission, and after I added “Storage Admin” permissions to <Project -ID> he got that access.

I believe it should work as follows: When user add a non-default bucket (multiple storage), it should receive the same permissions as the default bucket.

Sorry if I was not clear or I put a lot of information, but I’m just trying to help.

Read more comments on GitHub >

github_iconTop Results From Across the Web

How do I troubleshoot HTTP 403 errors from API Gateway?
An HTTP 403 response code means that a client is forbidden from accessing a valid URL. The server understands the request, ...
Read more >
403 Forbidden Error: What It Is and How to Fix It - Airbrake Blog
The 403 Forbidden Error is an HTTP response status code that indicates an identified client does not have proper authorization to access the ......
Read more >
403 Forbidden - HTTP - MDN Web Docs - Mozilla
The HTTP 403 Forbidden response status code indicates that the server understands the request but refuses to authorize it.
Read more >
403 Forbidden error received in response to a Rest API request
I am using a new Application to get my Daily Extract files but the request is failing with 403 Forbidden error.
Read more >
Streaming API Error: 403::Handshake denied - Google Groups
StageException: FORCE_09 - Streaming API Error: 403::Handshake denied. Version I'm running: StreamSets Data Collector 2.7.0.0 ( built by jenkins on ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found