This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Firebase Functions v1 Auth Trigger (`onCreate`) Deployment Fails with 403 on `generateUploadUrl`

Posted on 04-26-2025 09:03 AM
pSyalvia
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi all,

I'm facing a deployment issue specifically when trying to deploy a **v1 Firebase Authentication trigger function (`functionsV1.auth.user().onCreate()`)**. My project also contains other v2 Cloud Functions (e.g., `onCall`) which deploy successfully when the v1 function is commented out.

**Problem:**

When deploying the v1 Auth trigger function to the `europe-west9` region (also tried others regions), the deployment fails with:

```
! functions: Upload Error: Request to https://cloudfunctions.googleapis.com/v1/projects/[MY_PROJECT_ID]/locations/europe-west9/functions:g... had HTTP Error: 403, Permission denied on 'locations/europe-west9' (or it may not exist)

Error: Request to https://cloudfunctions.googleapis.com/v1/projects/[MY_PROJECT_ID]/locations/europe-west9/functions:g... had HTTP Error: 403, Permission denied on 'locations/europe-west9' (or it may not exist)
```

**Context & Troubleshooting:**

* I need the v1 trigger because v2 functions don't support Auth triggers yet.
* The deploying user account has the **Owner** role on the project.
* **App Engine exists** for the project (verified via `gcloud app describe`).
* All relevant APIs (Cloud Functions, Cloud Build, Artifact Registry, Cloud Run, IAM, Storage, App Engine Admin, Logging, Pub/Sub) appear to be **enabled**.
* Explicit permissions (Cloud Functions Admin, Cloud Build Editor/Admin, Artifact Registry Admin, Cloud Run Admin, Storage Admin, Service Account User) have been granted to both the **deploying user** and the **Cloud Build service account** (`[PROJECT_NUMBER]@cloudbuild.gserviceaccount.com`).
* The App Engine default service account (`[MY_PROJECT_ID]@appspot.gserviceaccount.com`) has the **Editor** role, plus explicit Secret Manager Accessor, Functions Invoker, and Pub/Sub Subscriber roles.
* Permissions on the `gcf-sources...` bucket seem correct.
* **Crucially: Deploying ONLY v2 functions to the same region works fine.** The 403 error *only* appears when the v1 `auth.user().onCreate()` function is included.
* No logs are generated for the v1 function in Cloud Logging, indicating it doesn't even start deploying properly.

**Question:**

Has anyone encountered this specific 403 error on `generateUploadUrl` **only when deploying v1 Auth triggers**, even with Owner permissions and seemingly correct API/IAM setup? Could there be a hidden dependency or permission specific to v1 Auth function deployment infrastructure in certain regions, perhaps related to App Engine's underlying state even if it "exists"?

Any insights would be greatly appreciated!

0 1 484
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
-Rhett
Staff
Reply posted on --/--/---- --:-- AM

Hi @pSyalvia,

Welcome to the Google Cloud Community!

The 403 error you're seeing is related to missing permissions or IAM role configurations specific to Firebase v1 Auth trigger deployments. Even if the deploying user has the Owner role, Cloud Functions for Firebase requires more granular permissions. Refer to the Cloud Functions for Firebase IAM permissions for a complete list of what's needed. For more info about authentication triggers, see Firebase Auth triggers and Cloud Functions (1st Gen) Auth integration.

Additionally, for Cloud Run functions (1st gen), ensure the correct authentication and access controls are in place. For 1st gen functions, the roles/cloudfunctions.invoker for a specific principal or for allUsers is required to authenticate. For more details, see Authenticate for invocation (1st gen) and Allowing unauthenticated HTTP function invocation and the image below.

Rhett_0-1746126917743.png

If your use case allows it, I also highly recommend that you Upgrade to Cloud Functions (2nd gen) for more triggers, runtime support, and improved configurability.

Feel free to reach out to the available support channels for Cloud Run functions (1st gen) or Firebase for more help.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

0 Likes
Top Solution Authors
View all