I am using the firebase login:ci token for CI/CD. But there is not enough documentation regarding the token.
Does it have access to all my firebase projects where my account has access or only the current active project?
Where can I see a list of all tokens and their activity?
The solution I am going for is creating a throwaway email and adding that to the project I want to deploy. Is this ok?
When you run firebase login:ci you get prompted to log in with a Firebase account. After picking your account, you get a dialog that shows the permissions you're granting. This contains:
This will allow Firebase CLI to:
View and administer all your Firebase data and settings
So if you click Allow in that dialog, the Firebase CLI will have access to all Firebase projects that the account has access to. The generated token does (as far as I know) have access to the same scope.
Related
We are running 2 separate Google Cloud Projects, Project A and Project B.
Project A is currently running an App Engine (AE) based API.
The API on project A needs to access the Firebase features on project B.
✅ I have setup cross projects access between the two projects using IAM and most functions are working fine.
App Engine on project A is able to access the Firebase real time db (RTDB) and Firebase Auth functions on Project B.
But we are unable to connect to Firebase Cloud Messaging on Project B
As far as I can see tracing through the Firebase admin SDK calls, we are able to obtain access tokens, and they're all valid as we can use some of the services (i.e. RTDB, Auth)
However, when we try using Firebase Cloud messaging we receive the following error: An error occurred when trying to authenticate to the FCM servers. Make sure the credential used to authenticate this SDK has the proper permissions.
Which seems to originate from a 401 unauthorized response to this service https://iid.googleapis.com/iid/v1:batchAdd
It doesn't seem to matter what amount of Roles on Project B I throw at the Project A service account.
If I use a separate Firebase service account that originated from Project B and use that json file as a credential then the issue go away, but I don't want to distribute credential files around, and everything else work fine without, except FCM.
FWIW this is how i initialise the firebase admin sdk
const firebaseAdmin = require('firebase-admin');
firebaseAdmin.initializeApp({
credential: firebaseAdmin.credential.applicationDefault(),
projectId:'project-b',
databaseURL: "https://project-b.firebaseio.com",
});
I've also tried setting the serviceAccountId option to the project B service account email that works when manually loaded, but that doesn't change anything (also added Service Account Token Creator role)
The services account has also been given all the permissions listed here https://firebase.google.com/docs/projects/iam/permissions#messaging
Feels like there's a simple connection missing (either a role, or API setting) but I've ran out of idea.
Has anyone done this before and can provide some guidance?
EDIT [CORRECTED IN EDIT 3] I've also tried to manually create a service account on Project B with the same working roles as the Firebase service account that works and i'm getting the same issue (even though it was created on Project B). So sounds like maybe it's not a role issue, nor a cross-project issue?
EDIT 2 I'm on Node Js with latest firebase admin sdk
EDIT 3 Ignore the first edit, i hadn't configured the custom service account correctly, works fine with a service account created from scratch in Project B. So back to cross-project issue then I guess..
So in the case of Real time database, you only need to give Firebase Realtime Database Admin role to the Project A's App Engine service account on Project B.
In Firebase Cloud Messaging you can give Firebase Cloud Messaging Admin role on Project B AND the cloudmessaging.messages.create permission to the service account on Project A.
This will go around the initial 401 unauthorised response from messaging calls.
However, this will still result in an error, this time NOT FOUND, which indicates that the subscription token was not found.
It seems that calls to FCM don't use the projectId setting in firebase admin initialisation and always execute against the project the service account was created in (Project A in this case).
I haven't been able to find a way for FCM calls to executed in the specified projectId scope from another project.
I am switching my Firebase functions from one Firebase account to another.
I have rerun firebase init.
I have added the new service account configs to the project and am passing it to admin.initializeApp. I have logged into GCP via my CLI and have run firebase login:ci as well.
Despite all this, whenever I try to run firebase deploy, I am met with the error:
Missing permissions required for functions deploy. You must have permission iam.serviceAccounts.ActAs on service account #appspot.gserviceaccount.com.
Any idea what's going on here?
This doesn't have anything to do with the service account you use to initialize the Firebase Admin SDK. The error has to do with the lack of permission of the Google Account that you used to sign in with the Firebase CLI. It doesn't have permission to deploy to Cloud Functions. You should either sign out then sign back in with an account that has permission (typically "editor" role), or add the appropriate permission to the account that you want to use.
If you're migrating to a new Firebase project / account, you must delete the project's existing .firebaserc and firebase.json files before running firebase init - this will ensure that you're using the updated project configs.
Permissions recommended for the Cloud Build service account in the official Google documentation and the Firebase CLI community builder docs are insufficient:
In the permissions table, locate the email ending with #cloudbuild.gserviceaccount.com, and click on the pencil icon.
Add Cloud Build Service Account, Firebase Admin and API Keys Admin roles.
I still get the following error in Cloud Build when I do firebase deploy:
Error: HTTP Error: 403, The caller does not have permission
What I've tried is different Firebase IAM roles, Editor, and Owner. So far only the Owner role works. That is way too much privilege for a Cloud Build service account, and violates the least-privilege model.
Everything is in the same Google Cloud project.
Anyone know how to troubleshoot this? Or know which role/permission is missing?
For our project (which uses Firestore, Functions, Hosting, and Storage extensively) here is the list we came up with. Critically I wanted to avoid "Firebase Admin" because I did not want this service account to have access to read/write my Firestore data:
Artifact Registry Administrator
Cloud Build Service Account
Cloud Datastore Index Admin
Cloud Functions Admin
Cloud RuntimeConfig Admin
Cloud Scheduler Admin
Firebase Hosting Admin
Firebase Rules Admin
Pub/Sub Admin
Service Account User
tl;dr seems like it was "an accidental permission expansion" that has been corrected.
I am able restrict the roles to:
Cloud Build Service Account
Firebase Admin
API Keys Admin
I have created/forked a lil Google Apps Script Library to manage Firebase Firestore and Firebase Remote Config called FirebaseGoogleAppsScript. The goal is to simply manage the contents of your collections in an apps script as well as update your remote config.
My issue is I can't get the a service account to do both.
Firebase creates two service accounts upon creating a project:
The first is listed in the Firebase Console -> Project Settings -> Service Accounts. This one I use within my cloud functions to retrieve the Remote Config just fine. However in the Apps Script Project it is unable to retrieve any data from firestore. I tried adding all kinds of roles including Owner and Editor yet no firestore data, but I still can get the RemoteConfig.
The second is only visible in the GCP service accounts and has the title: Firebase Admin SDK Service Agent with the roles Firebase Admin SDK Administrator Service Agent and Service Account Token Creator. This one is able to retrieve all the data from firestore within an Apps Script Project. However in the apps script project I can't get it to retrieve the RemoteConfig even if I add the role Firebase Remote Config Admin.
I have also made my own service account which was able to get the Remote config and just about everything else from Firebase except the Firestore data. Seems only the one service account created by Firebase is able to get any data.
To recreate the issue simply deploy my lil FirebaseGoogleAppsScript project and associate it to the same GCP project Firebase is connected to. There is a test file in it which can recreate the issue assuming you have some data in RemoteConfig and a collection called posts with some docs.
What the heck is going on here? Why can't I make a service account who can access Firestore and RemoteConfig? Any ideas on what to do to create a proper role to do both? Do I really have to use two separate service accounts?
I am trying to run instrumented tests using the glcoud CLI as a service account in CircleCi. When I run:
gcloud config set project project-name-12345
gcloud auth activate-service-account firebase-testlab-serviceuser#project-name-12345.iam.gserviceaccount.com --key-file ${HOME}/client-secret.json
gcloud firebase test android run --type instrumentation --app debug-app.apk --test debug-test.apk --device model=Nexus6P,version=27,locale=en,orientation=portrait --environment-variables coverage=true,coverageFile=/sdcard/tmp/code-coverage/connected/coverage.ec --directories-to-pull=/sdcard/tmp --timeout 20m
I get:
ERROR: (gcloud.firebase.test.android.run) Could not copy [debug-app.apk] to [gs://test-lab-xxxxxxxx-yyyyyyyy/2018-01-18_17:14:09.964449_zPAw/] ResponseError 403: firebase-testlab-serviceuser#project-name-12345.iam.gserviceaccount.com does not have storage.objects.create access to bucket test-lab-xxxxxxxx-yyyyyyyy..
Using the API Console (https://console.cloud.google.com/iam-admin/iam/project) I've given my service user all the permission I can think would be relevant:
Firebase Crash Symbol Uploader
Firebase Test Lab Admin
Storage Admin
Storage Object Admin
Storage Object Creator
Storage Object Viewer
Firebase Rules System
Any help would be greatly appreciate. Thanks.
You should be able to use a service account created in the Google Cloud Console. Did your service account have the required project Editor role? (as noted in this doc: https://firebase.google.com/docs/test-lab/continuous)
After lots of clicking through the Firebase console and the Google Cloud Console, reading SO, asking for help on Slack, and more trial and error than I care to admit, I discovered that the Firebase console has a service account page:
https://console.firebase.google.com/u/0/project/project-name-12345/settings/serviceaccounts/adminsdk
That is different from the service accounts page in the Google Cloud Console
https://console.cloud.google.com/iam-admin/serviceaccounts/project?project-name-12345
It turns out you want the Firebase service account, you can not create one via the cloud console. Super, super annoying.
The steps I took to create the key is as follow:
1. Firebase Console https://console.firebase.google.com/
2. Project Settings
3. "Service Accounts" tab
4. Inside "Service Accounts" panel, Firebase Admin SDK
5. At the bottom of "Firebase Admin SDK" panel, "Generate new private key"
This is what Etherton answered
https://stackoverflow.com/a/48327579/2353939
Even after that, I still had some errors. So, I added a bunch of roles as follows.
Firebase Test Lab Admin
Firebase Service Management Service Agent
Firebase Admin SDK Administrator Service Agent
Service Account Token Creator
Storage Object Creator
That also didn't fix. So, finally, I applied P. Davis answer by adding Editor role to the service account.
https://stackoverflow.com/a/48331465/2353939
Steps to add Editor role is as follows
1. Go to google cloud console https://console.cloud.google.com/iam-admin/iam
2. Go into "IAM"
3. Use "client_email" from the json file downloaded from firebase console to find the service account you need to edit
4. Click the "Edit" icon on the right
5. Scroll down and "Add Another Role"
6. Click the input field and type in "Editor" to search
7. Choose the one with subtitle "Edit access to all resource"
8. Save
9. Now you should be able to use it
This is the list of the roles that I put in to my service account :
Firebase - Firebase admin ( I think this is overkill. I might update it later )
Project - Editor
Storage - Storage Object Creator
It does not matter whether you create the service account from Firebase or google cloud console. As long as you have these roles in your service account then you should be able run the Firebase test lab.
For people who stumble upon this and don't want to use the all powerful Project Editor role, here are the roles I'm using for my service account:
Firebase Test Lab Roles
I think the Firebase Analytics Viewer role is not necessary, because it mostly just execute the tests. To view the result we use the developer accounts instead but haven't tried removing it.
We ran into the same permissions issue with storage.objects.create. We have added all the roles that were mentioned here, except for the Editor role which we wanted to avoid, but it still failed. We were using a Service Account and it definitely had the proper permissions.
In the end our workaround was to setup a cloud storage bucket manually and then use it in the --results-bucket argument for gcloud. See the documentation here. That finally fixed it for us.