I'm trying to deploy firebase rules using firebase cli. I want to achieve that using service account impersonation, which works for other operations that I perform, but surely not when using firebase cli.
I get the following error, despite setting auth/impersonate_service_account setting in my config.
Error: HTTP Error: 403, Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the firebaserules.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/. If you are getting this error with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes. For more information regarding 'X-Goog-User-Project' header, please check https://cloud.google.com/apis/docs/system-parameters.
The solution that worked is the following:
firebase \
--token $(gcloud auth print-access-token --impersonate-service-account=<sa>) \
deploy --only firestore:rules
Related
I have the firebase emulator running in a docker container locally for testing. The emulator includes everything I'm using for my app (firestore, auth, functions, storage) so that I can develop and test independently of the production environment.
However, I'm getting these warnings which are making me nervous:
functions: Beginning execution of "myFunction"
⚠ External network resource requested!
- URL: "http://---.---.---.---/computeMetadata/v1/instance"
- Be careful, this may be a production service.
I don't know what that URL is? Does it mean I've misconfigured something somewhere?
I'm also getting these warnings:
⚠ emulators: You are not currently authenticated so some features may not work correctly. Please run firebase login to authenticate the CLI.
⚠ functions: You are not signed in to the Firebase CLI. If you have authorized this machine using gcloud application-default credentials those may be discovered and used to access production services.
⚠ functions: Unable to fetch project Admin SDK configuration, Admin SDK behavior in Cloud Functions emulator may be incorrect.
But I don't think I want to authenticate, right? I don't want to touch anything to do with the live project on production while testing locally. Can I safely ignore these, or is there a good reason to authenticate?
The warnings are indicative that there had some issues while initialization during the setup for emulators .
Make sure that the emulator is installed by the following command: firebase setup:emulators:firestore, for this you can refer Documentation.
Deploy your function in the firebase in order to get recognized. you can refer to the Documentation using firebase deploy --only functions
Also to be sure please check your Firebase json and see if the local host is configured and not the production host,just to be sure.
For further reference you can follow up the stackoverflow thread Docker authentication issueand Firestore emulatorwhere a similar issue has been raised by other users which might be helpful.
When tryin to create firebase resources using pulumi I get following error:
error: 1 error occurred:
Error creating Project: googleapi: Error 403: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the firebase.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/.
As far as I understand this, the only way to use Pulumi with a Firebase project is to use the service account (with proper access) and it is not possible to use the gloud ... way to authenticate?
I'm trying to deploy a Firebase hosted project with a Service Account (that I created myself, not one provided by Google/Firebase as default) via a pipeline (Gitlab, but that shouldn't matter for this issue).
When I run the following command locally (same happens in the pipeline):
GOOGLE_APPLICATION_CREDENTIALS="/path/to/serviceaccount.json" firebase deploy --only hosting
I'm getting the following error:
=== Deploying to 'my-firebase-project'...
i deploying hosting
Error: HTTP Error: 403, The caller does not have permission
The --debug does not provide any more details, other than the 403. I've set the following roles to the serviceaccount:
Firebase Hosting Admin
Firebase Rules Admin
API keys viewer
Deploying the rules (using --only firestore) works without issues. I've read the documentation about the roles of Firebase hosting, but assigning these don't work either.
Does anyone know which roles I'm missing?
Note: a service account is used here to do a deployment, so any firebase login / firebase logout actions won't have any effect. See Login to firebase using gcloud service account for details.
With the help of Firebase support, I was pointed to the Deploying to Firebase page, which provides an enumeration of all required roles. To sum it up here:
Cloud Build Service Account
Firebase Admin
API Keys Admin
I was missing the first one, which resulted in this error. Hope that this'll help others as well!
You have to add the role at the cluster level using oadm policy add-cluster-role-to-user cluster-reader system:serviceaccount:myproject:default
I have a Firebase project under a GCP organization. I have NodeJS 10 callable functions which work fine with Firebase local emulator and in in GCP functions test page, but when attempting to call them in production using httpsCallable in a webapp, I get 401 Unauthorized - Your client does not have permission to the requested URL
There is practically nothing my test function - it just returns a hardcoded string. There is nothing in the logs after the call attempts.
The function call attempt is done after passing Firebase authentication in the webapp, and in development I see that the user is indeed passed to the context parameter.
I use Firebase Tools 8.0.2 to deploy.
In GCP console function details I see "Ingress settings - Allow all traffic", and as I wrote above, it runs successfully from the test tab there.
I tried to make the function public but I can't set permissions in the console or gcloud. When I try to run the following command with gcloud:
gcloud functions add-iam-policy-binding my-function-name \
--member="allUsers" \
--role="roles/cloudfunctions.invoker"
I get:
ERROR: (gcloud.functions.add-iam-policy-binding) ResponseError: status=[403], code=[Forbidden], message=[Permission 'cloudfunctions.functions.setIamPolicy' denied on resource 'projects/my-project-name/locations/us-central1/functions/my-function-name' (or resource may not exist).]
even though my account has the following roles: Project Owner, Cloud Functions Admin, Security Admin, IAP Policy Admin, Organization Administrator
Any guidance will be appreciated.
Per John's instructions, it turned out gcloud was set to an incorrect active account, so I set it to the correct account that had the required permissions using gcloud config set account my-email#my-domain.com and then I was able to make the function publicly invokable using
gcloud functions add-iam-policy-binding my-function-name \
--member="allUsers" \
--role="roles/cloudfunctions.invoker"
I'm trying deploy my firebase app. But when I try run 'firebase deploy', I got:
Is any way to deploy the app automatically ( without human login to dashboard) ? I care only to send on firebase security rules.
You can use firebase login:ci to work with continuous integration systems.
The command firebase login:ci will create a token, then you can use this token for deploying with:
firebase deploy --token
See the Github repo section on CI Systems for more information.