Proper permission for Cloud Build to deploy to Firebase?

1
votes

Permissions recommended for the Cloud Build service account in the official Google documentation and the Firebase CLI community builder docs are insufficient:

  1. In the permissions table, locate the email ending with @cloudbuild.gserviceaccount.com, and click on the pencil icon.
  2. Add Cloud Build Service Account, Firebase Admin and API Keys Admin roles.

I still get the following error in Cloud Build when I do firebase deploy:

Error: HTTP Error: 403, The caller does not have permission

What I've tried is different Firebase IAM roles, Editor, and Owner. So far only the Owner role works. That is way too much privilege for a Cloud Build service account, and violates the least-privilege model.

Everything is in the same Google Cloud project.

Anyone know how to troubleshoot this? Or know which role/permission is missing?

1
firebasefirebase-hostinggoogle-cloud-buildgoogle-iamgoogle-cloud-iam
What specific Firebase services are you deploying? Different permissions are needed depending on which. If Cloud Functions, you also need to add the Cloud Functions Admin role. - Michael Bleigh
So far just Firebase Hosting, but it is good to know for functions we need Cloud Functions Admin. I tried adding Firebase Hosting Admin and it still does not work (I think Firebase Admin covered it anyways). - ahong
Does this answer your question? What IAM roles are needed for deploying to Firebase Hosting? - Deniss Tsokarev
@DenisT. unfortunately I don't think it does. I've tried the Firebase Hosting Admin role which includes the permissions listed on the site and it still does not work. It's possible Firebase did a release and broke their roles. - ahong
It seems like there may be an accidental permission expansion happening somewhere. This might be a bug in Firebase Hosting -- can you please file a bug and mention that Michael Bleigh routed you to do so? - Michael Bleigh

1 Answers

0
votes

tl;dr seems like it was "an accidental permission expansion" that has been corrected.

I am able restrict the roles to:

  1. Cloud Build Service Account
  2. Firebase Admin
  3. API Keys Admin