This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Permission "artifactregistry.repositories.downloadArtifacts" denied with Firebase Cloud Function

Posted on 04-16-2025 02:14 AM
JackyHon
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello. I am trying to deploy Firebase cloud function with Firebase gen 2nd. But error comes out when I deploy the function by calling:

firebase deploy --only functions:myFunction

The error log found in Cloud Build saying that:

ERROR: failed to create image cache:
accessing cache image "us-central1-docker.pkg.dev/[Project ID]/gcf-artifacts/[Project--ID]__us--central1__my_function/cache:latest":
connect to repo store "us-central1-docker.pkg.dev/[Project ID]/gcf-artifacts/[Project--ID]__us--central1__my_function/cache:latest":
GET https://us-central1-docker.pkg.dev/v2/token?scope=repository%3A[Project ID]%2Fgcf-artifacts%2F[Project--ID]__us--central1__my_function%2Fcache%3Apull&service=:
DENIED: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/[Project ID]/locations/us-central1/repositories/gcf-artifacts" (or it may not exist)
 Actually, Firebase has created an account automatically for cloud function ([project-number]@cloudbuild.gserviceaccount.com). But the account can only be found in the setting page in Cloud Build, not in service account of IAM. And the cloud function seems not using the created account.


So I set up a service account for the cloud function. I have assigned some roles including "roles/cloudbuild.builds.builder" and "roles/artifactregistry.writer" to the new account. And set the new account to be the service account of Firebase CLI.

I have also double checked "gcf-artifacts" exists in Artifact Registry, and configured docker according to the setup instructions in Artifact Registry. But none of these changes the build failure result.

Did I set anything wrongs? Or are there any other ways to set up Firebase Cloud Function? I have set up Firebase Cloud Function in another project many years ago and did not face this issue. I am worried whether I am on the right track. Thanks.

Solved Solved
1 3 841
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
JackyHon
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

TLDR: The function deploy successfully after assigning "roles/cloudbuild.builds.builder" to [Project Number]-compute@developer.gserviceaccount.com.

The solution may not work for everyone. So I will also share how I found the solution.

I try to deploy the function using gcloud instead of firebase:

gcloud functions deploy myFunction

And the messages come out:

The default build service account [[Project Number]-compute@developer.gserviceaccount.com] is missing the
[roles/cloudbuild.builds.builder] role. This may cause issues when deploying a function. You could fix it by running the
 command:
gcloud projects add-iam-policy-binding [Project ID] \
 --member=serviceAccount:[Project Number]-compute@developer.gserviceaccount.com \
 --role=roles/cloudbuild.builds.builder
For more information, please refer to: https://cloud.google.com/functions/docs/troubleshooting#build-service-account.
 Would you like to continue? (y/N)?

So I follow the message to assign the role to the account it asked for. After that the function is deployed successfully. If you are using Firebase and not sure which roles are missing, you may try to deploy the function using gcloud instead of firebase to see what is going wrong.

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3
Top Solution Authors
View all