I have an open-source project that uses two separate Firebase projects for a test environment and the production one.
Ultimately, I want to have other developers be able to pull down the project and actually be able to run it WITHOUT me needing to give each individual developer access.
I see a number of solutions in this question: How to add collaborators to a Firebase app?. Those all seem to require each person's email.
I understand why it maybe isn't a thing, but I am wondering if there is a way to just give access to everyone for only the test project so that contributing is super low-friction. Something similar to Firestore database rules that allow read/write in a public fashion to get started for testing.
I've tried making a new IAM account in the Google Cloud Console, and I think that partially worked for the Firebase Cloud Functions access to Admin SDK, but my collaborators get hung up trying to run firebase use <test-firebase-project> saying that they don't have access.
I see a lot of other config options for IAM, but nothing sticking out to me for this public access scenario.
Can anyone confirm this either is or isn't a thing?
Thanks!
EDIT
To add some more detail to my project...
I am using Authentication, Firestore, and Cloud Functions. The only js package I will use is the Auth one, which will be loaded from a CDN (so I believe that doesn't apply to my question).
I want to give access to people to run the Cloud Functions locally. There is a pre-build step that I have made in vanilla Node that calls a Cloud Function (running locally), which uses the Firebase Admin SDK to call my Firestore database. I then write that response to a JSON file that my front end uses.
When my collaborators pull down the project, and install the Firebase CLI, when they try to serve the Cloud Functions locally, they get hit with a "no access" type of error. I was trying to resolve this by adding a service account into the /functions directory, but apparently that didn't help.
My collaborators don't need access to the console at all. I basically just need them to be able to run the Cloud Function locally (and make sure they can't access my production Firebase project).
I am happy to add more detail, but I kind of feel like I am just rambling. Thanks again.
There is no way to grant everyone contributor access to your Firebase console. You will either have add each individual user, or create your own dashboard that uses the API to show the relevant data.
Related
I want to use Firebase cloud functions but when I try to init exists project I get error.
This is the error "Error: HTTP Error: 403, The caller does not have permission"
I created project before and then I moved project folder. When I had tried deploy, it wasn't work. I don't remember which error I got. And then I tried init same project but I got this error.
I tried logout and login again but it wasn't work.
I deleted "firebase-tools" but it wasn't work too.
And after I tried on different computer and I got same error.
And also I have Firebase Admin permission.
The firebase init command initializes/enables the project to use Cloud Functions for Firebase. Owners or Editors should use this command. Owners/Editors have higher permissions which allows APIs to be enabled (e.g. allowing the project to create VMs, Cloud Functions, or create a NoSQL Database).
Therefore I think you should perform this operation with Owner/Editor role.
You need to have Owner or Editor IAM permission on the GCP project to use firebase init command.
The firebase init command initializes/enables the project to use Cloud Functions/Hosting for Firebase. Owners/Editors have higher permissions that allow APIs to be enabled etc.
it is a first-time task when you starting the development, and then init command can be avoided if you have set up your cloud functions code in VCS for multiple developers or you.
i.e, Usually after writing code, you will replicate the project to other developers, who will then also write code and use firebase use yourprojectid further.
I am trying to create a firebase project using the api. The document for this is here: https://firebase.google.com/docs/projects/api/reference/rest/v1beta1/projects/addFirebase
I have created a GCP project already and I am the owner of this project. I can see my project in a request to:
https://firebase.google.com/docs/projects/api/reference/rest/v1beta1/availableProjects/list . It has a project id of: projects/my-project-id-here
I am making the requests as a owner of the GCP project user account (I am not using a service account!) using Google OAuth 2.0 with the correct scopes (You can try it in the documentation), but I am receiving a response of:
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
I can create firebase project fine If I go to firebase website directly and create the project there.
Google take 30 days to delete my test projects, so I am restricted to how many times I can try to get this right from scratch. Therefore I am also interested to know how you fully unlink firebase from a GCP project without deleting that project. Removing the service account and disabling the APIs from GCP console doesn't seem to do the trick.
Finally, I do not know if it is relevant but I also have the same user account setup with a developer account on google play and the GCP project is linked up for API access it's created service account granted access. I don't think this is relevant though, as my understanding is that I can setup a firebase project without this.
Hope someone can help!
I've found the solution to this. You cannot use the firebase API to create a firebase project unless you've first accepted the terms and conditions which aren't shown to you until you're in a firebase project (go figure).
Anyway here are some clear steps:
Create a firebase project through the website
Open the firebase project
Accept the terms and conditions for firebase use
Delete the firebase project and enjoy the API now working.
Regarding your interest in removing firebase from a project, this is not supported. The best course of action is to undo the changes that were made when firebase was added, namely disabling the firebase APIs, removing oauth client/brand, removing API keys etc, which you have already done, and it’s the closest thing to deleting the project.
What's the best way to work with multiple environments/projects on firebase?
I can switch between firebase projects using the the CLI.
I see here how to add environment variables to a firebase project and access them through firebase-functions's .config() method.
Is there a way to do something similar on the client-side when using firebase hosting.
For example: I'm using Algolia to run searches. I have firebase-functions to keep the indexes up to date, and run the searches from the client. Both functions and the hosted content need to point to the right Algolia project depending on the environment. I'd like to tie both configs to the same switch; firebase use staging vs firebase use production, for example. What's the best way to go about that?
I'm currently building an open-source microservice that makes use of Firebase Database, Hosting & Functions. The plan is to pack everything in a single binary and distribute this. So users will have a hazzle-free, "bring your own Firebase project"-solution. They'll just have to download the binary and their Firebase secret key and can then create a user and deploy the service via CLI.
The problem is, that firebase-tools require a $FIREBASE_TOKEN when deploying via its API. So users would have to install firebase-tools in order to be able to generate that token and they would also have to store it (or re-generate it frequently).
Since I would like to provide a hazzle-free experience, I'd rather generate that token myself with the help of the secret key.
The question is: is this even possible? And if yes: how??
My workaround for this is to reflect the login- and logout-commands of the Firebase-CLI on my own binary's CLI. So the user won't have to install another tool.
To get the refresh_token I then read the data from the firebase-tools-configstore, that is located in the user folder. This feels a little dirty, like accessing a private API. But I couldn't come up with a better solution. And it works.
here's the task I have and the resources I'm following to try to get it done.
Ultimately what I want is for users to be able to take pictures with my app (made with Ionic) and then those pictures get sorted and end up on the company's Google Team Drive.
What I originally started with was uploading the images to Firebase Storage, and then I was told they must be accessible to Team Drive.
Some of the people taking pictures aren't part of the company's G Suite, so I was thinking it would be easier to just have the database itself authenticate with the Team Drive and upload from there.
Here is an example from github that shows the same thing I want, except it uploads from Firebase Database to Google Sheets:
https://github.com/firebase/functions-samples/tree/master/google-sheet-sync
My plan was to follow this guide exactly to get it working, and then figure out how I can change it for Storage -> Team Drive.
However in following the instructions in the readme (they're pretty old) I've come across an error and now I'm stuck.
For Step #7 in that link where it says to run $ firebase functions:config:set googleapi.client_id="<id>" and the rest of the command, I get in terminal:
Error: HTTP Error: 403, The caller does not have permission
What should be the steps I'm looking at to get this working? I am also unsure if my current implementation makes sense anymore. It wouldn't be a big deal to make everyone using the app sign-in with a Google account so that they can be a member of the Team Drive and just upload directly from the app to Drive. Would that still include the sort of safety behaviour like if the connection drops the file upload will resume independently?
The answer to my first question is to install googleapis and google-auth-library. Run the command in the actual /functions/ directory of the sample.
There were a few other errors created by old code, but they aren't in the scope of this question and I raised them in the github Issues sections.