IAM roles needed for firebase deploy

[Alan deLespinasse]

I was setting up a CI system to deploy (hosting, functions, storage rules, and Firestore rules), and I noticed that it now prints a warning:

Authenticating with `--token` is deprecated and will be removed in a future major version of `firebase-tools`. Instead, use a service account key with `GOOGLE_APPLICATION_CREDENTIALS`: https://cloud.google.com/docs/authentication/getting-started

So I thought, ok, I'll do that now, shouldn't take too long, right?

...

Several hours later I'm still trying to figure out what IAM roles the service account needs. (Some of that time was spent just figuring out how to securely put a usable certificate in the CI environment; I basically had to put the contents of the certificate file into a secret environment variable, and have the CI script dump that into a file before running the deploy command, then set up an environment variable to point to that file. Luckily I had dealt with service accounts and certificates before; I think lots of Firebase developers probably haven't, and it seems like something that most shouldn't even need to understand.)

The original `firebase init` command helpfully set up a service account for the GitHub Action that it created, but that only deploys to hosting; it doesn't have the permissions needed for functions or security rules.

It's easy enough to add the "Owner" role, but that has tons of permissions that aren't needed for this. I assume that's the reason the --token flag is considered a security problem; the token is probably usually created by an owner, and so it unnecessarily grants all the Owner permissions.

It seems like there really should be a special role for this, shouldn't there? Call it "Firebase deployer" or something. And probably also separate roles for deploying just functions, hosting, or security rules, since some projects don't use them all.

This is exactly what the concept of "roles" is for, after all: collecting all the permissions needed for a particular job in one place and making it easy to grant them all at once.

Barring that, it would be nice to have a definitive list of the roles (and/or the individual permissions) needed for deploying. So far I've failed to find this anywhere. It took me a while to even find the reference docs for what roles exist (they're under "fundamentals" and not really linked from anywhere I've seen in the guides and reference pages), and those are a lot to wade through.

Meanwhile I'm on the verge of giving up and just going back to using the --token flag, even though it will stop working at some unspecified point in the future. It was so easy and effective!

[Alan deLespinasse]

No one knows anything about this? It seems pretty important for security.

[Alan deLespinasse]

Well, I was able to create a custom role that seems to work, with a small number of permissions (26). I did this by giving the service account the "Owner" role, then later looking at the permissions that had apparently been used (in the "excess permissions" view available on the "IAM & Admin / IAM" page of the cloud console).

I'm not sure why or when each of them had been used; some may not be needed. In fact there was one permission that seemed to have been used, but I failed to add it to the role because I misunderstood something in the custom role UI, and it worked anyway. So some others may not be needed either.

The permissions I ended up adding were:

appengine.applications.get

artifactregistry.packages.delete

artifactregistry.packages.get

cloudfunctions.functions.create

cloudfunctions.functions.delete

cloudfunctions.functions.get

cloudfunctions.functions.list

cloudfunctions.functions.sourceCodeSet

cloudfunctions.functions.update

cloudfunctions.operations.get

datastore.indexes.create

datastore.indexes.delete

datastore.indexes.list

datastore.indexes.update

firebase.clients.get

firebase.projects.get

firebasehosting.sites.update

firebaserules.releases.create

firebaserules.releases.list

firebaserules.releases.update

firebaserules.rulesets.create

firebaserules.rulesets.get

firebaserules.rulesets.test

runtimeconfig.configs.list

secretmanager.versions.get

serviceusage.services.get

This is for a pipeline that deploys using "npx firebase-tools deploy" in a project that uses Firestore, Firebase Hosting, Firebase Cloud Functions, Firebase Auth, and Firebase Storage. (Or actually it's not using Storage yet, but it has a rules file for Storage that presumably is getting deployed.)

I hope this is useful for other people having this problem. Hopefully they'll be able to find this post.

[Alan deLespinasse]

Oh. Except that the deploy doesn't actually work:

1. It says the deploy to Firebase Hosting worked, but nothing was actually updated.
2. One of the Cloud Functions doesn't deploy. No reason is given; it just says "Failed to update function [name of function]".

And in spite of the above problems, the firebase deploy command seems to exit without an error code, so GitHub Actions thinks it succeeded.

I've now gone back to using a token generated with "firebase login:ci". It may be deprecated, but its replacement doesn't work and/or isn't sufficiently documented and supported.

This has been extremely frustrating.

[Michael Bleigh]

Hi Alan,

Thanks for the feedback. Have you tried assigning the service account in question the "Firebase Develop Admin" role? That should have everything required to perform the actions for firebase deploy and is safer than a user-access credential like login:ci provides.

I think you've identified a clear opportunity for us to more clearly document the necessary roles and permissions for performing various deployment tasks. I'll make sure this gets surfaced to the team.

Cheers,

Michael

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/96683965-b97b-4f60-84b6-ed16bb93a1cen%40googlegroups.com.

[Alan deLespinasse]

Thanks. I don't remember what all I tried, but actually I think it seemed like it wasn't reliably working even when I gave it the "Owner" role. I'm not sure, I tried a lot of things and had a lot of failures.

[Takahashi Shotaro]

I enforced the deployment with `Firebase Develop Admin` role and it says `firebaseextensions.instances.list` permission is missing. Giving it the `Editor` role seemed to work.

2023年1月11日水曜日 12:16:54 UTC+9 Alan deLespinasse: