[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Service Usage Consumer Role breaks user account access #7209

Open
1 of 2 tasks
rosera opened this issue May 22, 2024 · 4 comments
Open
1 of 2 tasks

Service Usage Consumer Role breaks user account access #7209

rosera opened this issue May 22, 2024 · 4 comments
Assignees
@joehan
Labels
api: core Needs: Attention reproducible type: bug

Comments

@rosera
Copy link
rosera commented May 22, 2024
edited
Loading

Environment info

firebase-tools:
firebase cli v13.8.0

Debian v12

Platform:
Google CloudShell
firebase cli v13.8.0 and gcloud SDK v475.0.0

Test case

Testing

Tests were conducted using firebase cli v13.8.0 and gcloud SDK v475.0.0.

  • Pass: The service account was able to access the firebase project as the correct permission appears to be available.
  • Fail: The user account is unable to access the firebase project. I have provided the error log below.

Steps to reproduce

In testing, I used both a user account (on CloudShell - Debian 12) and a service account (via GCE instance Debian 12).

The test project includes a Firebase project accessed from Google Cloud Shell. The Firebase project features a Firestore database. Logging into the project was successful, however I was unable to access any services e.g.:

  • projects:list - see output below:
  • set up a firestore rules - same error relating to the service account

Expected behavior

Facing issues when using a user account to access Firebase using the CLI tool. I believe the issue relates to the below PR.

Ref: PR

Both user and service accounts should be able to access the firebase project services when using only the roles/firebase.admin permission.

Actual behavior

When using CloudShell on Google Cloud, where the user account has been given roles/firebase.admin permission. Previously this has been working since the end of 2023 deployment in a lab delivered on the CloudSkillsBoost site.

The internal link for this is b/341023115

After the above some recent changes to Firebase cli, the user account with roles/firebase.admin is no longer able to access Firebase projects using the cli tool. The response indicates an additional service account permission is required (i.e. roles/serviceusage.serviceUsageConsumer).

I believe the relevant change is here: PR.

Error Log

I have the following information from firebase-debug-log:

[debug] [2024-05-22T09:44:10.933Z] ----------------------------------------------------------------------
[debug] [2024-05-22T09:44:10.935Z] Command:       /usr/local/nvm/versions/node/v20.13.0/bin/node /usr/local/nvm/versions/node/v20.13.0/bin/firebase projects:list
[debug] [2024-05-22T09:44:10.936Z] CLI Version:   13.8.0
[debug] [2024-05-22T09:44:10.936Z] Platform:      linux
[debug] [2024-05-22T09:44:10.936Z] Node Version:  v20.13.0
[debug] [2024-05-22T09:44:10.936Z] Time:          Wed May 22 2024 09:44:10 GMT+0000 (Coordinated Universal Time)
[debug] [2024-05-22T09:44:10.936Z] ----------------------------------------------------------------------
[debug]
[debug] [2024-05-22T09:44:10.950Z] > command requires scopes: ["email","openid","https://www.googleapis.com/auth/cloudplatformprojects.readonly","https://www.googleapis.com/auth/firebase","https://www.googleapis.com/auth/cloud-platform"]
[debug] [2024-05-22T09:44:10.951Z] > authorizing via signed-in user ([student-02-dc607bdcab12@qwiklabs.net](mailto:student-02-dc607bdcab12@qwiklabs.net))
[debug] [2024-05-22T09:44:10.959Z] >>> [apiv2][query] GET https://firebase.googleapis.com/v1beta1/projects pageSize=1000
[debug] [2024-05-22T09:44:11.336Z] <<< [apiv2][status] GET https://firebase.googleapis.com/v1beta1/projects 403
[debug] [2024-05-22T09:44:11.337Z] <<< [apiv2][body] GET https://firebase.googleapis.com/v1beta1/projects [omitted]
[debug] [2024-05-22T09:44:11.338Z] HTTP Error: 403, Caller does not have required permission to use project qwiklabs-gcp-01-c80f0bc444a8. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=qwiklabs-gcp-01-c80f0bc444a8 and then retry. Propagation of the new permission may take a few minutes.
[debug] [2024-05-22T09:44:11.340Z] FirebaseError: HTTP Error: 403, Caller does not have required permission to use project qwiklabs-gcp-01-c80f0bc444a8. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=qwiklabs-gcp-01-c80f0bc444a8 and then retry. Propagation of the new permission may take a few minutes.
    at responseToError (/usr/local/nvm/versions/node/v20.13.0/lib/node_modules/firebase-tools/lib/responseToError.js:49:12)
    at RetryOperation._fn (/usr/local/nvm/versions/node/v20.13.0/lib/node_modules/firebase-tools/lib/apiv2.js:305:77)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
[error]
[error] Error: Failed to list Firebase projects. See firebase-debug.log for more info.
@aalej
Copy link
Contributor
aalej commented May 23, 2024

Hey @rosera, sorry to hear you encountered this issue, and thanks for the detailed report. Just to verify, are you setting the environment variable GOOGLE_CLOUD_QUOTA_PROJECT(I think on Google Cloud Shell it’s set by default)? If so, could you try temporarily unsetting the variable before running the firebase commands to see if there would be any changes in the behavior?

I’m trying to replicate this locally, but so far I’m only able to reproduce the issue if GOOGLE_CLOUD_QUOTA_PROJECT is set. Just to note, I’m running this on a macOS instead of the Google Cloud Shell.

@aalej aalej added the Needs: Author Feedback Issues awaiting author feedback label May 23, 2024
@rosera
Copy link
Author
rosera commented May 23, 2024
edited
Loading

Hi @aalej ,

Checking the environment variable GOOGLE_CLOUD_QUOTA_PROJECT it contains the project_id.

Testing

  • With GOOGLE_CLOUD_QUOTA_PROJECT value set, the error reported is displayed.
  • Removing the GOOGLE_CLOUD_QUOTA_PROJECT value, the projects list is displayed (No error).

I checked the above using the Qwiklabs environment and my personal account and both populate the GOOGLE_CLOUD_QUOTA_PROJECT varible with the project_id by default.

@google-oss-bot google-oss-bot added Needs: Attention and removed Needs: Author Feedback Issues awaiting author feedback labels May 23, 2024
@aalej
Copy link
Contributor
aalej commented May 23, 2024

Thanks for verifying @rosera. I’ll raise this to our engineering team to see what we could do to address this issue. I’ll also mark this as reproducible.

@rosera
Copy link
Author
rosera commented Jun 20, 2024
edited
Loading

@aalej @joehan Are there any updates that can be shared for this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joehan joehan

Labels
api: core Needs: Attention reproducible type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rosera @joehan @google-oss-bot @aalej