You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Platform:
Google CloudShell firebase cli v13.8.0 and gcloud SDK v475.0.0
Test case
Testing
Tests were conducted using firebase cli v13.8.0 and gcloud SDK v475.0.0.
Pass: The service account was able to access the firebase project as the correct permission appears to be available.
Fail: The user account is unable to access the firebase project. I have provided the error log below.
Steps to reproduce
In testing, I used both a user account (on CloudShell - Debian 12) and a service account (via GCE instance Debian 12).
The test project includes a Firebase project accessed from Google Cloud Shell. The Firebase project features a Firestore database. Logging into the project was successful, however I was unable to access any services e.g.:
projects:list - see output below:
set up a firestore rules - same error relating to the service account
Expected behavior
Facing issues when using a user account to access Firebase using the CLI tool. I believe the issue relates to the below PR.
Both user and service accounts should be able to access the firebase project services when using only the roles/firebase.admin permission.
Actual behavior
When using CloudShell on Google Cloud, where the user account has been given roles/firebase.admin permission. Previously this has been working since the end of 2023 deployment in a lab delivered on the CloudSkillsBoost site.
After the above some recent changes to Firebase cli, the user account with roles/firebase.admin is no longer able to access Firebase projects using the cli tool. The response indicates an additional service account permission is required (i.e. roles/serviceusage.serviceUsageConsumer).
I have the following information from firebase-debug-log:
[debug] [2024-05-22T09:44:10.933Z] ----------------------------------------------------------------------
[debug] [2024-05-22T09:44:10.935Z] Command: /usr/local/nvm/versions/node/v20.13.0/bin/node /usr/local/nvm/versions/node/v20.13.0/bin/firebase projects:list
[debug] [2024-05-22T09:44:10.936Z] CLI Version: 13.8.0
[debug] [2024-05-22T09:44:10.936Z] Platform: linux
[debug] [2024-05-22T09:44:10.936Z] Node Version: v20.13.0
[debug] [2024-05-22T09:44:10.936Z] Time: Wed May 22 2024 09:44:10 GMT+0000 (Coordinated Universal Time)
[debug] [2024-05-22T09:44:10.936Z] ----------------------------------------------------------------------
[debug]
[debug] [2024-05-22T09:44:10.950Z] > command requires scopes: ["email","openid","https://www.googleapis.com/auth/cloudplatformprojects.readonly","https://www.googleapis.com/auth/firebase","https://www.googleapis.com/auth/cloud-platform"]
[debug] [2024-05-22T09:44:10.951Z] > authorizing via signed-in user ([student-02-dc607bdcab12@qwiklabs.net](mailto:student-02-dc607bdcab12@qwiklabs.net))
[debug] [2024-05-22T09:44:10.959Z] >>> [apiv2][query] GET https://firebase.googleapis.com/v1beta1/projects pageSize=1000
[debug] [2024-05-22T09:44:11.336Z] <<< [apiv2][status] GET https://firebase.googleapis.com/v1beta1/projects 403
[debug] [2024-05-22T09:44:11.337Z] <<< [apiv2][body] GET https://firebase.googleapis.com/v1beta1/projects [omitted]
[debug] [2024-05-22T09:44:11.338Z] HTTP Error: 403, Caller does not have required permission to use project qwiklabs-gcp-01-c80f0bc444a8. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=qwiklabs-gcp-01-c80f0bc444a8 and then retry. Propagation of the new permission may take a few minutes.
[debug] [2024-05-22T09:44:11.340Z] FirebaseError: HTTP Error: 403, Caller does not have required permission to use project qwiklabs-gcp-01-c80f0bc444a8. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=qwiklabs-gcp-01-c80f0bc444a8 and then retry. Propagation of the new permission may take a few minutes.
at responseToError (/usr/local/nvm/versions/node/v20.13.0/lib/node_modules/firebase-tools/lib/responseToError.js:49:12)
at RetryOperation._fn (/usr/local/nvm/versions/node/v20.13.0/lib/node_modules/firebase-tools/lib/apiv2.js:305:77)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
[error]
[error] Error: Failed to list Firebase projects. See firebase-debug.log for more info.
The text was updated successfully, but these errors were encountered:
Hey @rosera, sorry to hear you encountered this issue, and thanks for the detailed report. Just to verify, are you setting the environment variable GOOGLE_CLOUD_QUOTA_PROJECT(I think on Google Cloud Shell it’s set by default)? If so, could you try temporarily unsetting the variable before running the firebase commands to see if there would be any changes in the behavior?
I’m trying to replicate this locally, but so far I’m only able to reproduce the issue if GOOGLE_CLOUD_QUOTA_PROJECT is set. Just to note, I’m running this on a macOS instead of the Google Cloud Shell.
Checking the environment variable GOOGLE_CLOUD_QUOTA_PROJECT it contains the project_id.
Testing
With GOOGLE_CLOUD_QUOTA_PROJECT value set, the error reported is displayed.
Removing the GOOGLE_CLOUD_QUOTA_PROJECT value, the projects list is displayed (No error).
I checked the above using the Qwiklabs environment and my personal account and both populate the GOOGLE_CLOUD_QUOTA_PROJECT varible with the project_id by default.
Thanks for verifying @rosera. I’ll raise this to our engineering team to see what we could do to address this issue. I’ll also mark this as reproducible.
Environment info
firebase-tools:
firebase cli v13.8.0
Debian v12
Platform:
Google CloudShell
firebase cli v13.8.0
andgcloud SDK v475.0.0
Test case
Testing
Tests were conducted using
firebase cli v13.8.0
andgcloud SDK v475.0.0
.service account
was able to access the firebase project as the correct permission appears to be available.user account
is unable to access the firebase project. I have provided the error log below.Steps to reproduce
In testing, I used both a user account (on CloudShell - Debian 12) and a service account (via GCE instance Debian 12).
The test project includes a Firebase project accessed from Google Cloud Shell. The Firebase project features a Firestore database. Logging into the project was successful, however I was unable to access any services e.g.:
Expected behavior
Facing issues when using a user account to access Firebase using the CLI tool. I believe the issue relates to the below PR.
Ref: PR
Both user and service accounts should be able to access the firebase project services when using only the
roles/firebase.admin
permission.Actual behavior
When using CloudShell on Google Cloud, where the user account has been given
roles/firebase.admin
permission. Previously this has been working since the end of 2023 deployment in a lab delivered on the CloudSkillsBoost site.The internal link for this is b/341023115
After the above some recent changes to Firebase cli, the user account with
roles/firebase.admin
is no longer able to access Firebase projects using the cli tool. The response indicates an additional service account permission is required (i.e.roles/serviceusage.serviceUsageConsumer
).I believe the relevant change is here: PR.
Error Log
I have the following information from
firebase-debug-log
:The text was updated successfully, but these errors were encountered: