GCP project ownership - mistake lost ownership - firebase

Doing some Firebase tests with users I change to ownership to another user and revoke it soon after, and with that I got the two users with "Edit" permission only and nobody with "Owner" permissions.
I tried through GCP console and API scripting to change that (even try using cloud functions) but I got always the message that I don't have permission, which is the expected behaviour.
I have a Gsuite account a GCP domain and both users are part of it. Any way to get this solved?
Help is really appreciated,
Rui

Related

Why may I have no "Cloud Functions Admin" role option to grant at Google Cloud?

I'm trying to connect Firebase with Flutterflow.
For this, I need to grant permissions, using a provided Flutterflow login.
One of the steps is to dry Cloud Functions Admin role, associated with this login.
Problem is, there's no such option on the page where you suppose to do it!
Fun fact, with my previous project it works fine, I can see the Cloud Functions tab with this role inside.
I've checked the list of all roles, found this specific one – it's here, enabled.
I've duplicated this role and granted the duplicate instead of "Cloud Functions Admin", but still Flutterflow says there's no permission.
The Cloud Functions API had to be enabled first (as confirmed in comments). It's off by default for new projects; generally each project must enable the APIs it wishes to use.

Firebase functions deploy problem (Failed to create/update function)

I would like to ask for the help of people familiar with Firebase functions. I am struggling with the problem that uploading the code via firebase cli fails. It was working a few days ago, I didn't change anything in the world, I mean through the configuration. And it gets stuck at a part where not even a code change was made. I have had this problem ever since the client set the editor role to the owner role. But in theory this shouldn't be a problem.
firebase deploy --debug returns this:
{"error":{"code":403,"message":"Unable to retrieve the repository metadata for projects/{projectname}/locations/us-central1/repositories/gcf-artifacts. Ensure that the Cloud Functions service account has 'artifactregistry.repositories.list' and 'artifactregistry.repositories.get' permissions. You can add the permissions by granting the role 'roles/artifactregistry.reader'.","status":"PERMISSION_DENIED"}}
I set it up but it still doesn't work. Maybe in the wrong place or I don't know. I only encountered similar problems on the net, but none of them helped. I do not know what to do. Artifactregistry api is also enabled.
firebase functions:log :
2022-11-09T22:15:55.891760Z E friendRequestNotification: {"#type":"type.googleapis.com/google.cloud.audit.AuditLog","status":{"code":7,"message":"Unable to retrieve the repository metadata for projects/{projectname}/locations/us-central1/repositories/gcf-artifacts. Ensure that the Cloud Functions service account has 'artifactregistry.repositories.list' and 'artifactregistry.repositories.get' permissions. You can add the permissions by granting the role 'roles/artifactregistry.reader'."},"authenticationInfo":{"principalEmail":"{email}"},"requestMetadata":{"callerIp":"{ip}","callerSuppliedUserAgent":"FirebaseCLI/11.16.0,gzip(gfe),gzip(gfe)","requestAttributes":{"time":"2022-11-09T22:15:56.055987Z","auth":{}},"destinationAttributes":{}},"serviceName":"cloudfunctions.googleapis.com","methodName":"google.cloud.functions.v1.CloudFunctionsService.CreateFunction","authorizationInfo":[{"resource":"projects/{projectname}/locations/us-central1/functions/friendRequestNotification","permission":"cloudfunctions.functions.create","granted":true,"authorizationLoggingOptions":{"permissionType":"ADMIN_WRITE"},"resourceAttributes":{}}],"resourceName":"projects/{projectname}/locations/us-central1/functions/friendRequestNotification","request":{"function":{"sourceUploadUrl":"https://storage.googleapis.com/uploads-760418412171.us-central1.cloudfunctions.appspot.com/6d1f7217-7899-484f-911c-1dbcb4512d8d.zip?GoogleAccessId=service-{}#gcf-admin-robot.iam.gserviceaccount.com&Expires={}","labels":{"deployment-tool":"cli-firebase","firebase-functions-hash":"{hash}"},"runtime":"nodejs16","dockerRegistry":"ARTIFACT_REGISTRY","entryPoint":"friendRequestNotification","name":"projects/{projectname}/locations/us-central1/functions/friendRequestNotification","eventTrigger":{"eventType":"providers/cloud.firestore/eventTypes/document.create","resource":"projects/{projectname}/databases/(default)/documents/users/{userId}/friends/{friendId}"}},"location":"projects/{projectname}/locations/us-central1","#type":"type.googleapis.com/google.cloud.functions.v1.CreateFunctionRequest"},"resourceLocation":{"currentLocations":["us-central1"]}}
I have already tried all options within the Google cloud iam&admin settings, but nothing.
Well, I solved the issue by updating my credit card. Basically, billing was disabled because my credit card was expired and all the permissions were disabled.
Try to enable the created artifacts for your project on Google Cloud Console
https://console.cloud.google.com/artifacts

How to give the correct permissions to a GCP service account to update Firestore and Storage rules?

I have an automated process to update a Firebase project's Firestore and storage rules. It always throughs permission denied errors. I've tried a combination of the predefined IAM roles such as Firebase Rules Admin, Firebase Rules System, and Firebase Rules Viewer. and even a combination of all three failed.
When giving the service account the Firebase Admin IAM role, it worked; however, I'd like to avoid giving this service account excess permissions due to best security practices following the principle of least privilege.
I found this documentation for specific permissions needed: https://firebase.google.com/docs/projects/iam/permissions#security-rules but after creating a new IAM role with all 13 of the permissions, it was still denied.
What is the correct set of least permissions needed to only allow the service account to update rules and rules only? (Firestore and storage)
I don't know the answer but here's how I'd work it out.
Firebase Admin is defined under Firebase-level roles:
https://firebase.google.com/docs/projects/iam/roles-predefined-all-products
NOTE Apologies, was unable to grab a link to the specific role on mobile
This shows all the permissions.
You should be able to determine which permissions are missing by checking the permissions of the other roles that you tried.
It would be helpful if you include the command and the specific errors that you received. Usually (!) these help scope the permission(s) that are missing.

xxxxx#21cn.com email login to Firebase project

I'm developing a mobile app using Firebase and its email authentication feature. I found that there are some unknown sign up with email with 21cn.com domain even though I'm not publishing the app yet. It seems like these email addresses are related to this website(https://mail.21cn.com/w2/).
Is there a way to prevent these unknown signup from outside or how can I improve the project safety?
I was looking around even in my projects and it is not possible to audit who and/or how added the accounts for Firebase Auth (not even in the Activity logs in the GCP Project associated with your Firebase Project)
So, if you don’t know those accounts, I’d suggest deleting them. Also, if the app is not yet published, maybe someone else (if more users are implied in the project) added those accounts directly to Firebase Auth.
Also you may want to change the password of your account.
In general the security of the Firebase Console is up to you.

Assign specific role (Authentication) to a Firebase Console user

I have a Firebase app, and I want to know if it's possible to restrict a Firebase Console user to access only to the "Authorizations" tab. (to CRUD users). The access must be by the Firebase (regular) Web Console
Especially, I don't want the user to see the database data via the web console. Is that possible? I've managed to give him access to the entire project, and he can do anything I can do (is an Admin).
I haven't found nothing about this in the docs / searching.
firebaser here
Collaborators on a project currently have access to the entire Firebase Console. You can limit to having read-only access, but you currently can't limit what panels they have access to.
We've heard the request before and know this would expand the usefulness of the Firebase Console. I recommend that your file a feature request, to add your vote.

Resources