9

What I did:

What I want to execute:

gcloud firebase test android run --app ./app/build/outputs/apk/app-debug.apk

The error I get:

ERROR: (gcloud.firebase.test.android.run) Unable to access the test environment catalog: ResponseError 403: Not authorized for project <project-id>

Question

What am I doing wrong? I tried to add the service account under IAM with all Service-Account rules, but this didn't help.

Is it possible to enable these APIs specially for the service-account? I did so only for the complete project and gmail account: Enable required APIs. After logging in using the service account: "In the Google Developers Console API Library page, enable the Google Cloud Testing API and Cloud Tool Results API. To enable these APIs, type these API names into the search box at the top of the console, and then click Enable API on the overview page for that API. "

My steps so far in detail:

docker exec -it container bash

export CLOUD_SDK_REPO="cloud-sdk-$(lsb_release -c -s)"
echo "deb http://packages.cloud.google.com/apt $CLOUD_SDK_REPO main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
sudo apt-get update && sudo apt-get install google-cloud-sdk
gcloud init

# only if this service account does not already exist:
# gcloud iam service-accounts create continuous-integration

gcloud iam service-accounts keys create $JENKINS_HOME/gce-continuous-integration-key.json --iam-account=continuous-integration@<project-id>.iam.gserviceaccount.com

gcloud auth activate-service-account continuous-integration@<project-id>.iam.gserviceaccount.com --key-file=$JENKINS_HOME/gce-continuous-integration-key.json

gcloud auth login continuous-integration@<project-id>.iam.gserviceaccount.com

jenkins@VM:/$ gcloud config list
# returns:
[compute]
region = europe-west3
zone = europe-west3-c
[core]
account = continuous-integration@<project-id>.iam.gserviceaccount.com
disable_usage_reporting = True
project = <project-id>
Your active configuration is: [default]
hb0
  • 3,350
  • 3
  • 30
  • 48
  • Whenever I've seen similar 403 errors in the past, it was usually due to one of two things. Either: A mixup was causing a different service account to be used for the gcloud firebase test android run command; or The service account was assigned a role (or roles) that did not allow it to invoke the Testing and ToolResults APIs. – P. Davis Oct 24 '17 at 20:36
  • What role(s) does your service account have on the IAM page in the Developers console? – P. Davis Oct 24 '17 at 20:43
  • Thanks for taking the time to reply. Currently I assigned: Service Account Admin, -User, -Key Admin, - Token Creator. I did not find any clear resources on which roles this account needs in order to work with this Firebase command. – hb0 Oct 25 '17 at 07:19
  • 1
    (2) This command: gcloud firebase test android run --log-http --verbosity=debug --app *** only shows me that the corrrect project is selected, not, which account is used. (3) gcloud auth list => shows me => ACTIVE ACCOUNT * continuous-integration@.iam.gserviceaccount.com (selected) – hb0 Oct 25 '17 at 07:25
  • Can you try giving the service account Project Editor privileges in the IAM page? To run FTL tests, the auth needs to allow gcloud to create several types of resources (test matrices, Tool results, intermediate and result files stored in Cloud Storage). – P. Davis Oct 25 '17 at 18:04
  • You are a genius !! Thank you so much, it works now. ;-) Where did you find the info that these permissions are required? Did I oversee it in Google's Guide? If you want, add your solution as answer, than I'll accept it. – hb0 Oct 26 '17 at 08:56
  • 2
    Added answer. This editor role is noted at the following site, but should be added to the FIrebase doc page you linked. http://engineering.dailymotion.com/running-firebase-test-lab-on-travis-ci/ – P. Davis Oct 26 '17 at 20:43
  • I think the answer to the question "Is it possible to enable these APIs specially for the service-account? I did so only for the complete project and gmail account: Enable required APIs. After logging in using the service account:" is that it has to be done for the complete project, not the service account. But I could be wrong. – Michael Osofsky Aug 16 '19 at 01:29

2 Answers2

19

Try giving the service account Project->Editor privileges in the IAM page. To run Firebase Test Lab tests, the authorization needs to allow gcloud to create several types of Cloud resources (test matrices, tool results) as well as to write intermediate and final test result files into your project's Cloud Storage bucket.

P. Davis
  • 929
  • 6
  • 10
  • 1
    Thank you very much. I informed the Firebase support that they should mention this required permission on their guide. – hb0 Oct 27 '17 at 07:43
  • 2
    Adding the Editor role on the main IAM page (/iam-admin/iam) really works thanks! But I think its worth to mention that, the IAM menu has a Service Accounts submenu where you can also add roles, like Editor. However adding the role to your service account there won't do anything, so beware (at least the test command won't work)! – slaci Jan 05 '23 at 08:23
0

Editor role does not worked for me, In my case, I was creating the service account from the IAM page, but it turns out that some things are missing from there, so what you need to do is "generate a private key" in https://console.firebase.google.com/u/0/project/my-project/settings/serviceaccounts/adminsdk

I mean: Settings/Service accounts/Firebase Admin SDK -> Generate Private Key.

Daniel Gomez Rico
  • 15,026
  • 20
  • 92
  • 162