firebase-tools
firebase-tools copied to clipboard
firebase
Cloud Billing API check when deploying Functions with Google Workload Identity
[REQUIRED] Environment info
firebase-tools: v13.15.4
Platform: macOS
[REQUIRED] Test case
I'm fairly certain this will work with any function deployed with a workload identity. For example, I have a GH action with the following block (for authentication):
- id: auth
name: Authenticate to GCP
uses: google-github-actions/auth@v2
with:
create_credentials_file: true
workload_identity_provider: projects/xxxx/locations/global/workloadIdentityPools/github-action-pool/providers/github-action-provider
service_account: [email protected]
[REQUIRED] Steps to reproduce
Deploy using the workload identity provider as above - probably easiest to do in GH actions once you have it set up. Instructions are in the action from Google
[REQUIRED] Expected behavior
Successful deploy.
[REQUIRED] Actual behavior
The CLI is giving me an error that the Cloud Billing API isn't enabled:
Error: HTTP Error: 403, Cloud Billing API has not been used in project 194637951628 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudbilling.googleapis.com/overview?project=194637951628 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
I assume, btw, that this API is enabled in the CLI's 'producer project', which is why this check succeeds when I run a deploy locally. I'm not sure what's causing this billing check, but it would be nice to either (1) skip it or (2) enable it, if it really needs to be enabled.
cc: @ifielker and @taeold who dealt with a similar problem recently :)
I'm not sure why, but this check is no longer being made - maybe it was a change in firebase-functions? This might be able to be closed now.
I came across this issue just after upgrading firebase-tools to 13.19.0, while 13.18.0 has no problem.
I came across this issue just after upgrading firebase-tools to 13.19.0, while 13.18.0 has no problem.
Wait? Is that a good thing or a bad thing?
Have same issue with firebase-tools 13.5.4 and firebase-functions 5.1.1
Hey folks, re-opening this issue so that we can investigate. @JR-RomanZaiats, could you try updating to firebase-tools v13.16.0 or v13.18.0 to see if this would work around the issue?
As an alternative workaround, you can also enable the Cloud Billing API on the project listed in the error message.
To add more information to https://github.com/firebase/firebase-tools/issues/7584#issuecomment-2374019545,
In my environment, the directory structure is like the following.
- my-project/
- .github/
- workflows/
- deploy.yaml
- workflows/
- package.json
- package-lock.json
- functions/
- package.json
- package-lock.json
- index.js
- .github/
./my-project/package.json declares only firebase-tools as dependency.
./my-project/functions/package.json declares some dependencies including firebase-functions. Its version is pinned to 6.0.1.
If I make ./my-project/package.json use [email protected], the deploy workflow works well.
However once I make ./my-project/package.json use [email protected] the workflow fails with the same error as this issue.
./.github/workflows/deploy.yaml is like the following.
name: Deploy
on: workflow_dispatch
jobs:
deploy:
permissions:
contents: read
id-token: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: google-github-actions/auth@v2
with:
access_token_scopes: |
email
openid
https://www.googleapis.com/auth/cloud-platform
https://www.googleapis.com/auth/firebase
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ secrets.SERVICE_ACCOUNT }}
create_credentials_file: true
export_environment_variables: true
- run: npm ci
- run: npx firebase deploy --only functions --force --project=my-project
@aalej, firebase-tools 13.18.0 with firebase-action 13.18.0 and firebase-functions 5.1.1 works fine, without any issues
Yeah, unfortunately this has come back for me. Not sure why.
But one thing that is likely the culprite is that the Extensions API was just enabled on my last deploy. This project doesn't have any extensions, so that's unexpected.
There's no reason for these APIs to be enabled - and the billing check failing because the API isn't enabled is... unfortunate too.
i deploying functions
Running command: npm --prefix functions run build
> build
> tsc
✔ functions: Finished running predeploy script.
i functions: preparing codebase default for deployment
i functions: ensuring required API cloudfunctions.googleapis.com is enabled...
i functions: ensuring required API cloudbuild.googleapis.com is enabled...
i artifactregistry: ensuring required API artifactregistry.googleapis.com is enabled...
✔ functions: required API cloudbuild.googleapis.com is enabled
✔ functions: required API cloudfunctions.googleapis.com is enabled
✔ artifactregistry: required API artifactregistry.googleapis.com is enabled
i functions: Loading and analyzing source code for codebase default to determine what to deploy
Serving at port 8016
i extensions: ensuring required API firebaseextensions.googleapis.com is enabled...
⚠ extensions: missing required API firebaseextensions.googleapis.com. Enabling now...
✔ extensions: required API firebaseextensions.googleapis.com is enabled
i functions: preparing functions directory for uploading...
i functions: packaged /home/runner/work/xxx/xxx/functions (67.82 KB) for uploading
i functions: ensuring required API cloudscheduler.googleapis.com is enabled...
✔ functions: required API cloudscheduler.googleapis.com is enabled
i functions: ensuring required API run.googleapis.com is enabled...
i functions: ensuring required API eventarc.googleapis.com is enabled...
i functions: ensuring required API pubsub.googleapis.com is enabled...
i functions: ensuring required API storage.googleapis.com is enabled...
✔ functions: required API run.googleapis.com is enabled
✔ functions: required API pubsub.googleapis.com is enabled
✔ functions: required API eventarc.googleapis.com is enabled
✔ functions: required API storage.googleapis.com is enabled
i functions: generating the service identity for pubsub.googleapis.com...
i functions: generating the service identity for eventarc.googleapis.com...
Error: HTTP Error: 403, Cloud Billing API has not been used in project xxx before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudbilling.googleapis.com/overview?project=xxx then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
It is expected that deploying functions firebase deploy --only functions with firebase-tools >= v13.19.0 and firebase-functions >= 5.1.0 will also deploy any extensions defined in the deploying codebase.
We have released a new feature that allows defining firebase extensions with an autogenerated SDK. You can install the SDK into your Firebase functions codebase of choice and then specify the parameters of the extension in your code using the SDK. When you deploy the codebase, the deploy will detect the extension and deploy it. It will also update/configure/delete extensions as well. As such we need to check for any existing extensions previously defined via SDK in the same codebase. (To see if there is anything to delete even if there are none defined in the code). That's why we need the Extensions API, the firebaseextensions.instances.list permission (granted by Firebase Extensions Viewer role) and the Billing API.
While we can enable required APIs in most cases, the Google Workload Identity case is a bit different and it is expected that this should be enabled manually. Please enable it manually by following the link shown in the error message, wait for a few minutes and then re-run the deploy. It should now succeed.
More information on the new extensions feature: https://firebase.google.com/docs/extensions/install-extensions?platform=sdk&interface=sdk
I must say this is bananas. Deploying firebase with --token was easy-peasy, but with the service account it requires a crazy amount of setup. Can't this be done directly in firebase console (where I generated the service file in the first place)?
For next time, please document these as breaking changes in the release notes. It broke our CI/CD and it took some time to figure out.
I must say this is bananas. Deploying firebase with
--tokenwas easy-peasy, but with the service account it requires a crazy amount of setup. Can't this be done directly in firebase console (where I generated the service file in the first place)?
+1
It's super complicated and I still don't understand half of what I did + I presume I gave waaay too many permissions for this thing to work. Firebase was supposed to be the "user friendly" layer on top of Google Cloud, but it seems they are fed up with it and pushing us more and more to use Google Cloud directly.
That's why we need the Extensions API, the firebaseextensions.instances.list permission (granted by
Firebase Extensions Viewerrole) and the Billing API.
Firebase only support JSON service account credentials, and Google mention everywhere that it's the least secure way to manage identity, and Firebase now request access the Billing API to manage extensions that we might not use. It doesn't feels "right".
Google Workload Identity case is a bit different and it is expected that this should be enabled manually
Honestly I understand why it requires manual check, and it should be a reason not to force it on every firebase project. Expecially if you don't need it: everybody is using functions, but not everybody is using autogenerated SDK.
And to add to the confusion, running firebase deploy with a login user doesn't require Billing API to be enable...
