I'm trying to add the needed roles for a CI pipeline to automatically deploy to firebase (by running firebase deploy.
The roles I've added so far are:
API Keys viewer
Artifact registry writer
Cloud build Service Account
Cloud Functions Admin
Cloud Run Viewer
Firebase App distribution admin
Firebase Authentication admin
firebase hosting admin
firebase rules admin
service account user
service usage admin
Honnestly at this point I'm just adding what sounds good, as the error message is not helpful:
There was an issue deploying your functions. Verify that your project
has a Google App Engine instance setup at
https://console.cloud.google.com/appengine and try again. If this
issue persists, please contact support.
It works when adding the Owner permission, so this is a permission issue.
As you want to deploy the entire project, the most applicable role would be Firebase Admin.
I use it in portuguese, so the translation in english may be different.
For deploying the hosting app IAM role must be either an Owner or Editor. Sometimes updating the latest version of a Node Package/Firebase tool will resolve the issue as per my experience.
npm install -g firebase-tools
It will provide the globally accessible firebase command.
For reference: https://firebase.google.com/docs/projects/iam/roles
For any deployments, you need the first Firebase token which is GCP_SA_key for whatever you want to deploy or update.
There are different scenarios let me elaborate with reference
Cloud Functions Developer IAM role for deploying functions
Cloud Scheduler Admin IAM role for scheduling your functions
Service Account User IAM role By default service account using the APP engine for the deployments process required a service account user role.
You need more roles for Updating Firestore to update rules, indexes, and files.
Firebase Rules Admin role for updating Firestore rules.
Cloud Datastore Index Admin role for updating firestore Indexes.
Firebase Hosting Admin role for updating files.
Further details reference added :GitHub Integration/deployments roles
Related
As per the Firebase documentation, the contents of google-services.json are considered public. These can be easily retrieved by decompiling the apk.
If so, is there a way to prevent apps from registering with my Firebase project?
I understand that the registration works on the basis of package name. While it's not possible to publish an app with a duplicate package name, for development it is very much possible.
I created a dummy app, and my dummy app successfully registered with my production project. So, looking for a way to prevent that from happening.
You should be connecting your app to Firebase Emulator for local development.
You can go to Firebase console -> Authentication tab -> Sign-in Method tab, and remove localhost from Authorized domain, that way your app will never connect to production DB.
I wish to run an App Maker application as a specific user and have created an account specifically for deploying with "run as the developer".
Using my normal account I have no issues deploying but when using the new account I do not get any options presented for Cloud SQL. As this user is not able to choose either option then it is impossible to deploy the app.
The following has been checked already
The new user has the same application rights as my normal user within the G-Suite admin console.
The new user has editor rights to the App Maker project (is owner).
The new user has owner rights to the GCP project that hosts the default Cloud SQL instance.
The default Cloud SQL instance is the same for both users.
Is there anything I am missing that could cause this behaviour?
I have Download a project from github in which firebase is used for authentication and Database. I have no access to that database but i want to make some changes to that firebase account. Can i transfer one project (Having no access to that account) to a new Firebase
We are bringing in a new developer for our Firebase web app project, who will start out by just learning the code in his local environment.
Since the new developer will be running Firebase CLI in the local env., is there a way to set up his initial role on the project such that he is [not able] to run firebase deploy commands?
~~~~~~~~~~~~~~~~~~~~~~~~~
I did find this doc from Google:
https://cloud.google.com/iam/docs/understanding-roles?_ga=2.49153190.-1888993.1468450573#curated_roles
It discusses deploy access in section: App Engine Roles .. not sure if that is for Firebase as well.
If so, are there any additional references for how to go about applying these kinds of roles to a Firebase project?
Anyone who has the "editor" or "owner" role for a project will be able to deploy (and generally make any other changes to the project). If you don't want an account to be able to deploy, don't give either of those roles.
I am trying to give permissions to a third party to make deployments to Firebase Hosting on a project I have set up. I explored the IAM permissions available in the GCP console, and the only half-related role seems to be the Firebase Rules System, however that didn't allow the user to deploy to hosting. While Project Editor would probably work, I don't want to give them that much authority, as they could launch other Firebase products at my expense.
What IAM roles should I add to allow a user to deploy to Firebase Hosting?
Update (2018-11-12): Firebase seems to have added more granular permission settings with their October 28, 2018 release:
The Firebase console now offers predefined Firebase roles. These new roles enable more granular access than the primitive Owner/Editor/Viewer roles. To edit member access for your project, visit the Firebase console Users and permissions page. For more information on roles, see Manage project access with Firebase IAM.
Digging deeper, I found these IAM entries related to hosting: https://firebase.google.com/docs/projects/iam/permissions#hosting
Original answer:
I asked Firebase support and the following was their reply:
To be able to deploy hosting app your developer must be either an
Owner or Editor. So in your case, lowest privilege that you can give
is Editor because currently role-based access restriction for Static
Hosting is unavailable. We're aware that many developers, such as
yourself, would like more extensive and granular control for
permissions. We're exploring potential solutions, but I can't share
any details or timelines at this time.
Keep an eye out on our release notes for any further updates.