action-hosting-deploy icon indicating copy to clipboard operation
action-hosting-deploy copied to clipboard

Published 20 hours ago verified publisher icon FirebaseExtended

[BUG] Service Account created without cloud functions permissions

Open maximveksler opened this issue 2 years ago • 3 comments

New Firebase account, new GCP account.

Timeline:

  1. On 1st run the API for Cloud Build API was not enabled. CI Failed with link to enable API.
  2. API enabled in GCP console
  3. 5 min of wait, while change propogates
  4. Relaunched the buid, still fails with 403 permission error.

Action config

# This file was auto-generated by the Firebase CLI
# https://github.com/firebase/firebase-tools

name: Deploy to Firebase Hosting on merge
"on":
  push:
    branches:
      - master
jobs:
  build_and_deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - run: npm ci && npm run build
        working-directory: src
      # https://github.com/FirebaseExtended/action-hosting-deploy/issues/251
      - run: /usr/local/bin/npx firebase-tools@latest experiments:enable webframeworks
      - uses: FirebaseExtended/action-hosting-deploy@v0
        with:
          repoToken: "${{ secrets.GITHUB_TOKEN }}"
          firebaseServiceAccount: "${{ secrets.FIREBASE_SERVICE_ACCOUNT_REFRAMED_XXX }}"
          channelId: live
          projectId: reframed-XXX

Error message

Error: HTTP Error: 403, Permission denied to get service [cloudfunctions.googleapis.com]
  Help Token: AZWD64qjGY7kpTyVX0ZKnHv4y7i-P-c1SxiKSbJevd0hA3JJINEVy0MJG_B1SKeytwFfbgMNo5v4yLffFVRBLI6mS80E_Ad4Ld5fNPkgpj6ia8pD
  [2022-11-08T10:56:59.367Z] Error Context: ***
    "body": ***
      "error": ***
        "code": 403,
        "message": "Permission denied to get service [cloudfunctions.googleapis.com]\nHelp Token: AZWD64qjGY7kpTyVX0ZKnHv4y7i-P-c1SxiKSbJevd0hA3JJINEVy0MJG_B1SKeytwFfbgMNo5v4yLffFVRBLI6mS80E_Ad4Ld5fNPkgpj6ia8pD",
        "status": "PERMISSION_DENIED",
        "details": [
          ***
            "@type": "type.googleapis.com/google.rpc.PreconditionFailure",
            "violations": [
              ***
                "type": "googleapis.com",
                "subject": "?error_code=110002&service=serviceusage.googleapis.com&permission=serviceusage.services.get&resource=projects/reframed-XXX"
              ***
            ]
          ***,
          ***
            "@type": "type.googleapis.com/google.rpc.ErrorInfo",
            "reason": "AUTH_PERMISSION_DENIED",
            "domain": "serviceusage.googleapis.com",
            "metadata": ***
              "service": "serviceusage.googleapis.com",
              "permission": "serviceusage.services.get",
              "resource": "projects/reframed-XXX"
            ***
          ***
        ]
      ***
    ***,
    "response": ***
      "statusCode": 403
    ***
  ***

maximveksler avatar Nov 08 '22 11:11 maximveksler

Here are the permissions created for the service account by the firebase-tools CLI

image

maximveksler avatar Nov 08 '22 11:11 maximveksler

Summary

To get it to work I had to

1 - Enable the following API's:

image

  1. Cloud Build
  2. Cloud Functions
  3. Artifact Registry

2 - Grant to the service account the following permissions:

image

  1. Cloud Functions Admin
  2. Artifact Registry Administrator

The deploy is still not working for me, however for different reasons (Will open a followup bug)

maximveksler avatar Nov 08 '22 12:11 maximveksler

I can fix this issue by adding these 3 IAM roles.

  • Cloud Build Service Account (Can perform builds)
  • Service Account User (Run operations as the service account)
  • Firebase Admin (Full access to Firebase products)

fachrezamuslim avatar Jan 14 '23 15:01 fachrezamuslim