firebase-tools icon indicating copy to clipboard operation
firebase-tools copied to clipboard

Published 20 hours ago verified publisher icon firebase

Creation of Github Actions workflow does not work when service account key creation is prevented

Open IchordeDionysos opened this issue 3 years ago • 3 comments

[REQUIRED] Environment info

firebase-tools: 10.6.0

Platform: macOS

[REQUIRED] Steps to reproduce

  1. Create a new Google Cloud project / organization
  2. Enforce the organizational policy constraints/iam.disableServiceAccountKeyCreation.
  3. Run firebase init hosting
  4. Try to set up GitHub Actions deployments.

[REQUIRED] Expected behavior

There are several levels of support that I could be implemented:

  1. Soft-fail: Do not block the whole init just because this org-policy is enabled (this is the minimum that should be done)
  2. Skip adding the secret: Do not add the secret to Github, but add all other files for Github Actions (put a warning).
  3. Adjust template for Identity Federation: Detect that Workload Identity Federation is required here, so adjust the template for this, so that it's super easy to set up the rest for authentication (but do not yet set up Workflow Identity pools, etc. would be up for the user)
  4. Set up Workload Identity Federation: Set up everything for workload identity federation when key creation is not possible!
  5. Always use Workload Identity Federation: Never try to use a service account key, but always use Workload Identity Federation (as it's discouraged to use Service Account keys)

At least have 3. would be nice and should be fairly easy to build!

Background reading on Github Actions and Workload Identity federation: https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions

[REQUIRED] Actual behavior

The firebase init command fails with the following error message as it's not possible to create a Service Account key:

...
? For which GitHub repository would you like to set up a GitHub workflow? (format: user/repository) octocat/repo

Error: HTTP Error: 400, Key creation is not allowed on this service account.

IchordeDionysos avatar May 05 '22 00:05 IchordeDionysos

This issue does not seem to follow the issue template. Make sure you provide all the required information.

google-oss-bot avatar May 05 '22 00:05 google-oss-bot

I have the same issue, I had setup the github actions workflow in the past, I removed in an "unclean" manner. I have since tried to reset it but I always get Error: HTTP Error: 400, Precondition check failed. I have removed the old secrets and service account but it still fails. Any way to set it up cleanly ?

hugo2410 avatar Jul 18 '23 16:07 hugo2410