Skip to content
AnglinAI Docs

Fix Firebase Functions Permissions

To fix the error: β€œUnable to retrieve the repository metadata for projects/your-project-id/locations/us-central1/repositories/gcf-artifacts”, follow these steps:

1. Enable the Artifact Registry API

First, you need to enable the Artifact Registry API for your project:

Terminal window
gcloud services enable artifactregistry.googleapis.com --project=your-project-id

2. Grant the Cloud Functions Service Account the Required Permissions

The Cloud Functions service account needs the Artifact Registry Reader role:

Terminal window
# Get the project number (needed for service account identification)
PROJECT_NUMBER=$(gcloud projects describe your-project-id --format="value(projectNumber)")


# Grant Artifact Registry Reader role to the Cloud Functions service account
gcloud projects add-iam-policy-binding your-project-id \
  --member=serviceAccount:service-${PROJECT_NUMBER}@gcf-admin-robot.iam.gserviceaccount.com \
  --role=roles/artifactregistry.reader

3. Grant Additional Required Permissions

You may also need to grant the following permissions:

Terminal window
# Grant Storage Object Viewer role
gcloud projects add-iam-policy-binding your-project-id \
  --member=serviceAccount:service-${PROJECT_NUMBER}@gcf-admin-robot.iam.gserviceaccount.com \
  --role=roles/storage.objectViewer


# Grant Artifact Registry Repository Administrator role (if needed)
gcloud projects add-iam-policy-binding your-project-id \
  --member=serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com \
  --role=roles/artifactregistry.admin

4. Using Firebase Console (Alternative Method)

If you prefer using the Firebase Console:

  1. Go to the Firebase Console
  2. Select your project
  3. Go to Project Settings > Service accounts
  4. Click on β€œManage service account permissions” (this will take you to Google Cloud Console)
  5. Find the service account named β€œApp Engine default service account” or β€œCloud Functions service account”
  6. Click on the edit icon (pencil)
  7. Add the following roles:
    • Artifact Registry Reader
    • Storage Object Viewer

5. Wait and Re-deploy

After setting permissions, wait a few minutes for them to propagate, then try deploying again:

Terminal window
firebase deploy --only functions

Troubleshooting Further Permission Issues

If you encounter additional permission issues, you might need to grant more roles to the service accounts:

Terminal window
# Cloud Build Service Account
gcloud projects add-iam-policy-binding your-project-id \
  --member=serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com \
  --role=roles/cloudfunctions.developer


# Cloud Functions Service Account - Service Agent role
gcloud projects add-iam-policy-binding your-project-id \
  --member=serviceAccount:service-${PROJECT_NUMBER}@gcf-admin-robot.iam.gserviceaccount.com \
  --role=roles/cloudfunctions.serviceAgent

Remember to replace your-project-id with your actual project ID if it’s different.