Firebase Functions v1 Auth Trigger (`onCreate`) Deployment Fails with 403 on `generateUploadUrl`

Google Cloud Serverless Applications
,
1

Hi all,

I’m facing a deployment issue specifically when trying to deploy a v1 Firebase Authentication trigger function (functionsV1.auth.user().onCreate()). My project also contains other v2 Cloud Functions (e.g., onCall) which deploy successfully when the v1 function is commented out.

Problem:

When deploying the v1 Auth trigger function to the europe-west9 region (also tried others regions), the deployment fails with:

! functions: Upload Error: Request to [https://cloudfunctions.googleapis.com/v1/projects/[MY_PROJECT_ID]/locations/europe-west9/functions:generateUploadUrl](https://cloudfunctions.googleapis.com/v1/projects/[MY_PROJECT_ID]/locations/europe-west9/functions:generateUploadUrl) had HTTP Error: 403, Permission denied on 'locations/europe-west9' (or it may not exist)

Error: Request to [https://cloudfunctions.googleapis.com/v1/projects/[MY_PROJECT_ID]/locations/europe-west9/functions:generateUploadUrl](https://cloudfunctions.googleapis.com/v1/projects/[MY_PROJECT_ID]/locations/europe-west9/functions:generateUploadUrl) had HTTP Error: 403, Permission denied on 'locations/europe-west9' (or it may not exist)

Context & Troubleshooting:

  • I need the v1 trigger because v2 functions don’t support Auth triggers yet.
  • The deploying user account has the Owner role on the project.
  • App Engine exists for the project (verified via gcloud app describe).
  • All relevant APIs (Cloud Functions, Cloud Build, Artifact Registry, Cloud Run, IAM, Storage, App Engine Admin, Logging, Pub/Sub) appear to be enabled.
  • Explicit permissions (Cloud Functions Admin, Cloud Build Editor/Admin, Artifact Registry Admin, Cloud Run Admin, Storage Admin, Service Account User) have been granted to both the deploying user and the Cloud Build service account ([PROJECT_NUMBER]@cloudbuild.gserviceaccount.com).
  • The App Engine default service account ([MY_PROJECT_ID]@appspot.gserviceaccount.com) has the Editor role, plus explicit Secret Manager Accessor, Functions Invoker, and Pub/Sub Subscriber roles.
  • Permissions on the gcf-sources... bucket seem correct.
  • Crucially: Deploying ONLY v2 functions to the same region works fine. The 403 error only appears when the v1 auth.user().onCreate() function is included.
  • No logs are generated for the v1 function in Cloud Logging, indicating it doesn’t even start deploying properly.

Question:

Has anyone encountered this specific 403 error on generateUploadUrl only when deploying v1 Auth triggers, even with Owner permissions and seemingly correct API/IAM setup? Could there be a hidden dependency or permission specific to v1 Auth function deployment infrastructure in certain regions, perhaps related to App Engine’s underlying state even if it “exists”?

Any insights would be greatly appreciated!

2

Hi @pSyalvia ,

Welcome to the Google Cloud Community!

The 403 error you’re seeing is related to missing permissions or IAM role configurations specific to Firebase v1 Auth trigger deployments. Even if the deploying user has the Owner role, Cloud Functions for Firebase requires more granular permissions. Refer to the Cloud Functions for Firebase IAM permissions for a complete list of what’s needed. For more info about authentication triggers, see Firebase Auth triggers and Cloud Functions (1st Gen) Auth integration.

Additionally, for Cloud Run functions (1st gen), ensure the correct authentication and access controls are in place. For 1st gen functions, the [roles/cloudfunctions.invoker](https://cloud.google.com/iam/docs/understanding-roles#cloudfunctions.invoker) for a specific principal or for allUsers is required to authenticate. For more details, see Authenticate for invocation (1st gen) and Allowing unauthenticated HTTP function invocation and the image below.

Rhett_0-1746126917743.png
Rhett_0-1746126917743.png473×625 27 KB

If your use case allows it, I also highly recommend that you Upgrade to Cloud Functions (2nd gen) for more triggers, runtime support, and improved configurability.

Feel free to reach out to the available support channels for Cloud Run functions (1st gen) or Firebase for more help.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.