What IAM roles are needed for deploying to Firebase Hosting? - firebase

I am trying to give permissions to a third party to make deployments to Firebase Hosting on a project I have set up. I explored the IAM permissions available in the GCP console, and the only half-related role seems to be the Firebase Rules System, however that didn't allow the user to deploy to hosting. While Project Editor would probably work, I don't want to give them that much authority, as they could launch other Firebase products at my expense.
What IAM roles should I add to allow a user to deploy to Firebase Hosting?

Update (2018-11-12): Firebase seems to have added more granular permission settings with their October 28, 2018 release:
The Firebase console now offers predefined Firebase roles. These new roles enable more granular access than the primitive Owner/Editor/Viewer roles. To edit member access for your project, visit the Firebase console Users and permissions page. For more information on roles, see Manage project access with Firebase IAM.
Digging deeper, I found these IAM entries related to hosting: https://firebase.google.com/docs/projects/iam/permissions#hosting
Original answer:
I asked Firebase support and the following was their reply:
To be able to deploy hosting app your developer must be either an
Owner or Editor. So in your case, lowest privilege that you can give
is Editor because currently role-based access restriction for Static
Hosting is unavailable. We're aware that many developers, such as
yourself, would like more extensive and granular control for
permissions. We're exploring potential solutions, but I can't share
any details or timelines at this time.
Keep an eye out on our release notes for any further updates.

Related

Which Roles are needed in IAM in order to do a firebase deploy

I'm trying to add the needed roles for a CI pipeline to automatically deploy to firebase (by running firebase deploy.
The roles I've added so far are:
API Keys viewer
Artifact registry writer
Cloud build Service Account
Cloud Functions Admin
Cloud Run Viewer
Firebase App distribution admin
Firebase Authentication admin
firebase hosting admin
firebase rules admin
service account user
service usage admin
Honnestly at this point I'm just adding what sounds good, as the error message is not helpful:
There was an issue deploying your functions. Verify that your project
has a Google App Engine instance setup at
https://console.cloud.google.com/appengine and try again. If this
issue persists, please contact support.
It works when adding the Owner permission, so this is a permission issue.
As you want to deploy the entire project, the most applicable role would be Firebase Admin.
I use it in portuguese, so the translation in english may be different.
For deploying the hosting app IAM role must be either an Owner or Editor. Sometimes updating the latest version of a Node Package/Firebase tool will resolve the issue as per my experience.
npm install -g firebase-tools
It will provide the globally accessible firebase command.
For reference: https://firebase.google.com/docs/projects/iam/roles
For any deployments, you need the first Firebase token which is GCP_SA_key for whatever you want to deploy or update.
There are different scenarios let me elaborate with reference
Cloud Functions Developer IAM role for deploying functions
Cloud Scheduler Admin IAM role for scheduling your functions
Service Account User IAM role By default service account using the APP engine for the deployments process required a service account user role.
You need more roles for Updating Firestore to update rules, indexes, and files.
Firebase Rules Admin role for updating Firestore rules.
Cloud Datastore Index Admin role for updating firestore Indexes.
Firebase Hosting Admin role for updating files.
Further details reference added :GitHub Integration/deployments roles

Unable to deploy ARM template with all required Permissions

My requirement is to deploy an arm template using Azure pipelines.
I am referring to this document Deploying ARM Templates using Azure DevOps Pipelines – Thomas Thornton I don't think I have missed anything.
But I got the below error:
Exception Details: (InsufficientPrivilegesForManagedServiceResource) The requested user doesn't have sufficient privileges to perform the operation.
I have enough permissions to perform this but I do not know why I am getting this error
Api permissions
What permissions am I missing? Any suggestions??
The error "Insufficient permissions for deploying ARM template" usually occurs if there is any missing required permissions to perform the action.
Please note that, if you are deploying the ARM template at subscription level then you have to grant permissions for subscription level scope.
Try assigning the permissions at subscription level to resolve the error. You have to be having either Global Admin Role or Owner Role for your subscription.
You can refer this MsDoc to do the same.
You can also enable Access management for Azure resources as below:
Go to Azure Portal -> Azure Active Directory -> Properties -> Access management for Azure resources
You can refer the similar kind of issue solved by me in this SO Thread.

How to prevent registration to Firebase project?

As per the Firebase documentation, the contents of google-services.json are considered public. These can be easily retrieved by decompiling the apk.
If so, is there a way to prevent apps from registering with my Firebase project?
I understand that the registration works on the basis of package name. While it's not possible to publish an app with a duplicate package name, for development it is very much possible.
I created a dummy app, and my dummy app successfully registered with my production project. So, looking for a way to prevent that from happening.
You should be connecting your app to Firebase Emulator for local development.
You can go to Firebase console -> Authentication tab -> Sign-in Method tab, and remove localhost from Authorized domain, that way your app will never connect to production DB.

Can firebase "deploy access" be restricted?

We are bringing in a new developer for our Firebase web app project, who will start out by just learning the code in his local environment.
Since the new developer will be running Firebase CLI in the local env., is there a way to set up his initial role on the project such that he is [not able] to run firebase deploy commands?
~~~~~~~~~~~~~~~~~~~~~~~~~
I did find this doc from Google:
https://cloud.google.com/iam/docs/understanding-roles?_ga=2.49153190.-1888993.1468450573#curated_roles
It discusses deploy access in section: App Engine Roles .. not sure if that is for Firebase as well.
If so, are there any additional references for how to go about applying these kinds of roles to a Firebase project?
Anyone who has the "editor" or "owner" role for a project will be able to deploy (and generally make any other changes to the project). If you don't want an account to be able to deploy, don't give either of those roles.

Is there a way to show all apps deployed to your Meteor developer account?

I just signed up for a Meteor developer account and deployed my first app. I have searched and seen the blog post on the develop account but I have not found any information on how to login and view a list of all apps deployed to your account.
So for example after
meteor login
you could type
meteor list
and it would list all the apps deployed to this account
but I have not found any such command and I am wondering if it exists?
Update
The command has since been added use:
meteor list-sites
Make sure you're logged in first. Use meteor login to login, if you're not already.
At the moment this feature is not yet available. It should be available soon, according to the discussions on meteor-talk, with an API call and a meteor command like 'list'.
The apps listed on your Meteor Developer account are not the same as your deployed apps. The apps listed there are the ones that have access to your meteor developer account via OAuth.
More Info:
https://groups.google.com/forum/#!topic/meteor-talk/QPlmTfYf5gM
https://groups.google.com/forum/#!topic/meteor-talk/xFmGbAsmIck
You can view your Developer Account Apps from the Meteor Account settings page
Once you log in, you will see all of your apps listed under "Your Developer Account Apps"
The command has been added. Use
meteor list-sites
To show all apps deployed to your account.

Resources