We are bringing in a new developer for our Firebase web app project, who will start out by just learning the code in his local environment.
Since the new developer will be running Firebase CLI in the local env., is there a way to set up his initial role on the project such that he is [not able] to run firebase deploy commands?
~~~~~~~~~~~~~~~~~~~~~~~~~
I did find this doc from Google:
https://cloud.google.com/iam/docs/understanding-roles?_ga=2.49153190.-1888993.1468450573#curated_roles
It discusses deploy access in section: App Engine Roles .. not sure if that is for Firebase as well.
If so, are there any additional references for how to go about applying these kinds of roles to a Firebase project?
Anyone who has the "editor" or "owner" role for a project will be able to deploy (and generally make any other changes to the project). If you don't want an account to be able to deploy, don't give either of those roles.
Related
I'm trying to add the needed roles for a CI pipeline to automatically deploy to firebase (by running firebase deploy.
The roles I've added so far are:
API Keys viewer
Artifact registry writer
Cloud build Service Account
Cloud Functions Admin
Cloud Run Viewer
Firebase App distribution admin
Firebase Authentication admin
firebase hosting admin
firebase rules admin
service account user
service usage admin
Honnestly at this point I'm just adding what sounds good, as the error message is not helpful:
There was an issue deploying your functions. Verify that your project
has a Google App Engine instance setup at
https://console.cloud.google.com/appengine and try again. If this
issue persists, please contact support.
It works when adding the Owner permission, so this is a permission issue.
As you want to deploy the entire project, the most applicable role would be Firebase Admin.
I use it in portuguese, so the translation in english may be different.
For deploying the hosting app IAM role must be either an Owner or Editor. Sometimes updating the latest version of a Node Package/Firebase tool will resolve the issue as per my experience.
npm install -g firebase-tools
It will provide the globally accessible firebase command.
For reference: https://firebase.google.com/docs/projects/iam/roles
For any deployments, you need the first Firebase token which is GCP_SA_key for whatever you want to deploy or update.
There are different scenarios let me elaborate with reference
Cloud Functions Developer IAM role for deploying functions
Cloud Scheduler Admin IAM role for scheduling your functions
Service Account User IAM role By default service account using the APP engine for the deployments process required a service account user role.
You need more roles for Updating Firestore to update rules, indexes, and files.
Firebase Rules Admin role for updating Firestore rules.
Cloud Datastore Index Admin role for updating firestore Indexes.
Firebase Hosting Admin role for updating files.
Further details reference added :GitHub Integration/deployments roles
As per the Firebase documentation, the contents of google-services.json are considered public. These can be easily retrieved by decompiling the apk.
If so, is there a way to prevent apps from registering with my Firebase project?
I understand that the registration works on the basis of package name. While it's not possible to publish an app with a duplicate package name, for development it is very much possible.
I created a dummy app, and my dummy app successfully registered with my production project. So, looking for a way to prevent that from happening.
You should be connecting your app to Firebase Emulator for local development.
You can go to Firebase console -> Authentication tab -> Sign-in Method tab, and remove localhost from Authorized domain, that way your app will never connect to production DB.
One can select a project to deploy their app to, using firebase use PROJECT_ID.
I've an interesting pattern - I've multiple firebase hosted applications (projects) on the different branches of a git repo, and I often need to switch between them. When I issue firebase deploy, often it picks the wrong project and deploy there.
Is there a way to configure the projectId for firebase hosting within my code, so that when changing branches, the right project is automatically selected for deployment?
Thank you.
So, I was wondering, is it possible to move a firebase hosting site to a different project?.
I searched through the documentation, but I dont see anything anywhere that says how to do it, or if it is even possible
There is no built-in operation to move to a new project. But if you're deploying with the Firebase CLI, you can run:
firebase use <new project ID>
And then:
firebase deploy
To deploy the same content to the other project.
If you have your code for the site then you can just create a new folder and use firebase init hosting and initialize hosting in new project.
After that the process of deploying remains the same i.e.
firebase deploy --only hosting
PS: Also if you are using any custom domains, you would have to verify the ownership of the domain again in the new project.
I am trying to give permissions to a third party to make deployments to Firebase Hosting on a project I have set up. I explored the IAM permissions available in the GCP console, and the only half-related role seems to be the Firebase Rules System, however that didn't allow the user to deploy to hosting. While Project Editor would probably work, I don't want to give them that much authority, as they could launch other Firebase products at my expense.
What IAM roles should I add to allow a user to deploy to Firebase Hosting?
Update (2018-11-12): Firebase seems to have added more granular permission settings with their October 28, 2018 release:
The Firebase console now offers predefined Firebase roles. These new roles enable more granular access than the primitive Owner/Editor/Viewer roles. To edit member access for your project, visit the Firebase console Users and permissions page. For more information on roles, see Manage project access with Firebase IAM.
Digging deeper, I found these IAM entries related to hosting: https://firebase.google.com/docs/projects/iam/permissions#hosting
Original answer:
I asked Firebase support and the following was their reply:
To be able to deploy hosting app your developer must be either an
Owner or Editor. So in your case, lowest privilege that you can give
is Editor because currently role-based access restriction for Static
Hosting is unavailable. We're aware that many developers, such as
yourself, would like more extensive and granular control for
permissions. We're exploring potential solutions, but I can't share
any details or timelines at this time.
Keep an eye out on our release notes for any further updates.