I'm trying to deploy a Firebase hosted project with a Service Account (that I created myself, not one provided by Google/Firebase as default) via a pipeline (Gitlab, but that shouldn't matter for this issue).
When I run the following command locally (same happens in the pipeline):
GOOGLE_APPLICATION_CREDENTIALS="/path/to/serviceaccount.json" firebase deploy --only hosting
I'm getting the following error:
=== Deploying to 'my-firebase-project'...
i deploying hosting
Error: HTTP Error: 403, The caller does not have permission
The --debug does not provide any more details, other than the 403. I've set the following roles to the serviceaccount:
Firebase Hosting Admin
Firebase Rules Admin
API keys viewer
Deploying the rules (using --only firestore) works without issues. I've read the documentation about the roles of Firebase hosting, but assigning these don't work either.
Does anyone know which roles I'm missing?
Note: a service account is used here to do a deployment, so any firebase login / firebase logout actions won't have any effect. See Login to firebase using gcloud service account for details.
With the help of Firebase support, I was pointed to the Deploying to Firebase page, which provides an enumeration of all required roles. To sum it up here:
Cloud Build Service Account
Firebase Admin
API Keys Admin
I was missing the first one, which resulted in this error. Hope that this'll help others as well!
You have to add the role at the cluster level using oadm policy add-cluster-role-to-user cluster-reader system:serviceaccount:myproject:default
Related
I have the firebase emulator running in a docker container locally for testing. The emulator includes everything I'm using for my app (firestore, auth, functions, storage) so that I can develop and test independently of the production environment.
However, I'm getting these warnings which are making me nervous:
functions: Beginning execution of "myFunction"
⚠ External network resource requested!
- URL: "http://---.---.---.---/computeMetadata/v1/instance"
- Be careful, this may be a production service.
I don't know what that URL is? Does it mean I've misconfigured something somewhere?
I'm also getting these warnings:
⚠ emulators: You are not currently authenticated so some features may not work correctly. Please run firebase login to authenticate the CLI.
⚠ functions: You are not signed in to the Firebase CLI. If you have authorized this machine using gcloud application-default credentials those may be discovered and used to access production services.
⚠ functions: Unable to fetch project Admin SDK configuration, Admin SDK behavior in Cloud Functions emulator may be incorrect.
But I don't think I want to authenticate, right? I don't want to touch anything to do with the live project on production while testing locally. Can I safely ignore these, or is there a good reason to authenticate?
The warnings are indicative that there had some issues while initialization during the setup for emulators .
Make sure that the emulator is installed by the following command: firebase setup:emulators:firestore, for this you can refer Documentation.
Deploy your function in the firebase in order to get recognized. you can refer to the Documentation using firebase deploy --only functions
Also to be sure please check your Firebase json and see if the local host is configured and not the production host,just to be sure.
For further reference you can follow up the stackoverflow thread Docker authentication issueand Firestore emulatorwhere a similar issue has been raised by other users which might be helpful.
I'm trying to deploy firebase rules using firebase cli. I want to achieve that using service account impersonation, which works for other operations that I perform, but surely not when using firebase cli.
I get the following error, despite setting auth/impersonate_service_account setting in my config.
Error: HTTP Error: 403, Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the firebaserules.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/. If you are getting this error with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes. For more information regarding 'X-Goog-User-Project' header, please check https://cloud.google.com/apis/docs/system-parameters.
The solution that worked is the following:
firebase \
--token $(gcloud auth print-access-token --impersonate-service-account=<sa>) \
deploy --only firestore:rules
I am switching my Firebase functions from one Firebase account to another.
I have rerun firebase init.
I have added the new service account configs to the project and am passing it to admin.initializeApp. I have logged into GCP via my CLI and have run firebase login:ci as well.
Despite all this, whenever I try to run firebase deploy, I am met with the error:
Missing permissions required for functions deploy. You must have permission iam.serviceAccounts.ActAs on service account #appspot.gserviceaccount.com.
Any idea what's going on here?
This doesn't have anything to do with the service account you use to initialize the Firebase Admin SDK. The error has to do with the lack of permission of the Google Account that you used to sign in with the Firebase CLI. It doesn't have permission to deploy to Cloud Functions. You should either sign out then sign back in with an account that has permission (typically "editor" role), or add the appropriate permission to the account that you want to use.
If you're migrating to a new Firebase project / account, you must delete the project's existing .firebaserc and firebase.json files before running firebase init - this will ensure that you're using the updated project configs.
Permissions recommended for the Cloud Build service account in the official Google documentation and the Firebase CLI community builder docs are insufficient:
In the permissions table, locate the email ending with #cloudbuild.gserviceaccount.com, and click on the pencil icon.
Add Cloud Build Service Account, Firebase Admin and API Keys Admin roles.
I still get the following error in Cloud Build when I do firebase deploy:
Error: HTTP Error: 403, The caller does not have permission
What I've tried is different Firebase IAM roles, Editor, and Owner. So far only the Owner role works. That is way too much privilege for a Cloud Build service account, and violates the least-privilege model.
Everything is in the same Google Cloud project.
Anyone know how to troubleshoot this? Or know which role/permission is missing?
For our project (which uses Firestore, Functions, Hosting, and Storage extensively) here is the list we came up with. Critically I wanted to avoid "Firebase Admin" because I did not want this service account to have access to read/write my Firestore data:
Artifact Registry Administrator
Cloud Build Service Account
Cloud Datastore Index Admin
Cloud Functions Admin
Cloud RuntimeConfig Admin
Cloud Scheduler Admin
Firebase Hosting Admin
Firebase Rules Admin
Pub/Sub Admin
Service Account User
tl;dr seems like it was "an accidental permission expansion" that has been corrected.
I am able restrict the roles to:
Cloud Build Service Account
Firebase Admin
API Keys Admin
I was trying to deploy my first firebase cloud function using firebase cli but I encountered an error instead :
C:\Users\Anurag Tripathi\Desktop\firebasecloudfunction> firebase deploy --only functions
Error: Missing permissions required for functions deploy. You must have permission iam.serviceAccounts.ActAs on service account project_number#appspot.gserviceaccount.com.
To address this error, ask a project Owner to assign your account the "Service Account User" role from this URL:
https://console.cloud.google.com/iam-admin/iam?project=project_number
I tried to solve the problem by following the instruction but didn't get any success . Please help.
Edit : I have abandoned the project :( , so I really can't test the answers. Thanks all for the answers and comments. I will accept the most upvoted answer.
This is what worked for me. First run firebase login:list to find out if the account logged into firebase cli is the same account authorized in your Google Cloud Console. If not, run firebase logout <email> then firebase login, then deploy again.
As specified in the docs, apart from the Service Account User role, you should assign the Cloud Functions Admin role to the Service Account that you are using to deploy the functions
It turned out I had the wrong project name in the .firebaserc file. After changing the name to the correct google cloud project name it worked.
firebase projects:list
If the current Firebase account doesn't have your project, you have to logout first.
firebase logout
firebase login
firebase projects:list
firebase use <project ID>
So for example,
firebase use stripesample1
firebase projects:list
firebase deploy --only functions
I was having same issue, I just did firebase logout and firebase login and issue resolved
I had this issue with a co-worker who inherited the Firebase Admin role from the Organization the project belongs to.
I confirmed he had inherited the role but not all the same permissions as when you assign the role manually from Firebase Console -> Users and Permissions.
So, I could have followed the instructions in the link shown in the error log. But I thought it was safer to just re-assign the Firebase Admin role from firebase console. That solved the issue.