To deploy my Firebase project, I have setup a service account with the roles:
- Cloud Functions Admin
- Firebase Admin
- Service Account User
It works fine with Hosting and Cloud Functions triggered by Firestore or HTTPS, but it fails with a function on schedule.
What additional role do I need?
Edit: the only related ouput messages are:
i functions: updating Node.js 14 function schedule-statistics(europe-west3)...
...
✔ functions[schedule-statistics(europe-west3)]: Successful update operation.
...
Functions deploy had errors with the following functions:
schedule-statistics(europe-west3)
Edit: additional test: when deploying using my logged-in CLI on my machine, I see this additional message, which is missing when deploying with the service account:
✔ functions[schedule-statistics(europe-west3)]: Successful upsert schedule operation.
Edit: by adding logs as suggested by @Dharmaraj, I can see the missing permissions:
The principal (user or service account) lacks IAM permission \"cloudscheduler.jobs.get\"
...
The principal (user or service account) lacks IAM permission \"cloudscheduler.jobs.update\"
So when adding the "Cloud Scheduler Admin", it works!
I was misled because I already set this role to the service account but within another project, and it does not propagate! Lesson learned at the expense of a nice afternoon.
The answer is: add role "Cloud Scheduler Admin".
The gotcha is: roles set to a service account in one project do not propagate to the same service account in other project.
The nice lesson is: add
--debugto see additional logs, including missing permissions, thanks @Dharmaraj