A project that we are building uses the Google cloud identity toolkit multi-tenant feature. We have two tenants that we are actively using. We interact with all of this through Firebase's authentication suite.
I've noticed that when using this the user accounts do not show up in Firestore's UI anymore. The same goes for the local emulator.
I know the user has been created because when I log in I get back the correct uid matching the user profile created in firestore that I can see in the local emulator.
I'd like to know if anyone can help me with one of the following:
Is there a way to manage the users created for a multi-tenant setup through the emulator?
Is there a way for me to use gcloud cli locally to manage the users that I have created locally?
Good news! The updated version of the emulator will show you tenants. Once you run the emulator, attempt to login as a user through a tenant, and your "auth" page will magically get a "Tenant" dropdown.
Bad news! The non-default-tenant users don't seem to persist by any export method I have discovered so far.
As for seeing those users in the firebase console, it's pretty easy, but an extra step. Under "authentication" in the firebase console, you should see a tenant dropdown.
If you open that, there will be a link "Other tenants can be managed in the Google Cloud Console". Click it, then click "users" on the left. Finally choose your tenant in the "Tenant" dropdown.
I have an android app which has firebase analytics enabled. I am able to see events in firebase console. Now I want to connect it with big query. As I am using a team account for firebase, asked admin to give me owner access in firebase and editor access in connected google analytics account. After getting both access I tried to connect big query in firebase but it was not allowing me to select Google Analytics option while creating link. When I hover over that option it is showing message as "You need to be an Editor on the Google Analytics account linked to your project to modify BigQuery export". I am not sure what changes am I supposed to do to enable this and create a big query connection. Please help.
While you have the permissions in firebase you need to have Editor access to the Google Analytics Account as well in order to perform the connection. It is important that permission is given on the Account Level and not on the data view level.
I would like to assign myself as an admin to a client's Google Firebase account. I am creating a small website and need need access to his Google Firebase. Thus far, I have been using his UN and PW to login to his account.
Is there any way to assign myself as an admin on his Google Firebase account?
You can add collaborators to your Firebase project, from the Users and Permissions panel in the Firebase console. Here's an example from a project I'm working on:
Each user has a role in there, which controls precisely what they're allowed to do. The Owner is one of the broadest roles, and means the user has full access to the project.
I have created a new project on Firebase and i have role owner
and i can't found service accounts on 'settings project'
how to create it or enable it to get adminsdk private key (file.json)
in other accounts showing service accounts normally
but here not showing
so how to enable it?
Don't know exactly why this happened, but you can always manage firebase service accounts on the Google Cloud Platform console
My theory is : perhaps you first created this project on the Google Cloud Platform, and then you activated Firebase service.
I am trying to run instrumented tests using the glcoud CLI as a service account in CircleCi. When I run:
gcloud config set project project-name-12345
gcloud auth activate-service-account firebase-testlab-serviceuser#project-name-12345.iam.gserviceaccount.com --key-file ${HOME}/client-secret.json
gcloud firebase test android run --type instrumentation --app debug-app.apk --test debug-test.apk --device model=Nexus6P,version=27,locale=en,orientation=portrait --environment-variables coverage=true,coverageFile=/sdcard/tmp/code-coverage/connected/coverage.ec --directories-to-pull=/sdcard/tmp --timeout 20m
I get:
ERROR: (gcloud.firebase.test.android.run) Could not copy [debug-app.apk] to [gs://test-lab-xxxxxxxx-yyyyyyyy/2018-01-18_17:14:09.964449_zPAw/] ResponseError 403: firebase-testlab-serviceuser#project-name-12345.iam.gserviceaccount.com does not have storage.objects.create access to bucket test-lab-xxxxxxxx-yyyyyyyy..
Using the API Console (https://console.cloud.google.com/iam-admin/iam/project) I've given my service user all the permission I can think would be relevant:
Firebase Crash Symbol Uploader
Firebase Test Lab Admin
Storage Admin
Storage Object Admin
Storage Object Creator
Storage Object Viewer
Firebase Rules System
Any help would be greatly appreciate. Thanks.
You should be able to use a service account created in the Google Cloud Console. Did your service account have the required project Editor role? (as noted in this doc: https://firebase.google.com/docs/test-lab/continuous)
After lots of clicking through the Firebase console and the Google Cloud Console, reading SO, asking for help on Slack, and more trial and error than I care to admit, I discovered that the Firebase console has a service account page:
https://console.firebase.google.com/u/0/project/project-name-12345/settings/serviceaccounts/adminsdk
That is different from the service accounts page in the Google Cloud Console
https://console.cloud.google.com/iam-admin/serviceaccounts/project?project-name-12345
It turns out you want the Firebase service account, you can not create one via the cloud console. Super, super annoying.
The steps I took to create the key is as follow:
1. Firebase Console https://console.firebase.google.com/
2. Project Settings
3. "Service Accounts" tab
4. Inside "Service Accounts" panel, Firebase Admin SDK
5. At the bottom of "Firebase Admin SDK" panel, "Generate new private key"
This is what Etherton answered
https://stackoverflow.com/a/48327579/2353939
Even after that, I still had some errors. So, I added a bunch of roles as follows.
Firebase Test Lab Admin
Firebase Service Management Service Agent
Firebase Admin SDK Administrator Service Agent
Service Account Token Creator
Storage Object Creator
That also didn't fix. So, finally, I applied P. Davis answer by adding Editor role to the service account.
https://stackoverflow.com/a/48331465/2353939
Steps to add Editor role is as follows
1. Go to google cloud console https://console.cloud.google.com/iam-admin/iam
2. Go into "IAM"
3. Use "client_email" from the json file downloaded from firebase console to find the service account you need to edit
4. Click the "Edit" icon on the right
5. Scroll down and "Add Another Role"
6. Click the input field and type in "Editor" to search
7. Choose the one with subtitle "Edit access to all resource"
8. Save
9. Now you should be able to use it
This is the list of the roles that I put in to my service account :
Firebase - Firebase admin ( I think this is overkill. I might update it later )
Project - Editor
Storage - Storage Object Creator
It does not matter whether you create the service account from Firebase or google cloud console. As long as you have these roles in your service account then you should be able run the Firebase test lab.
For people who stumble upon this and don't want to use the all powerful Project Editor role, here are the roles I'm using for my service account:
Firebase Test Lab Roles
I think the Firebase Analytics Viewer role is not necessary, because it mostly just execute the tests. To view the result we use the developer accounts instead but haven't tried removing it.
We ran into the same permissions issue with storage.objects.create. We have added all the roles that were mentioned here, except for the Editor role which we wanted to avoid, but it still failed. We were using a Service Account and it definitely had the proper permissions.
In the end our workaround was to setup a cloud storage bucket manually and then use it in the --results-bucket argument for gcloud. See the documentation here. That finally fixed it for us.