1

Permissions recommended for the Cloud Build service account in the official Google documentation and the Firebase CLI community builder docs are insufficient:

  1. In the permissions table, locate the email ending with @cloudbuild.gserviceaccount.com, and click on the pencil icon.
  2. Add Cloud Build Service Account, Firebase Admin and API Keys Admin roles.

I still get the following error in Cloud Build when I do firebase deploy:

Error: HTTP Error: 403, The caller does not have permission

What I've tried is different Firebase IAM roles, Editor, and Owner. So far only the Owner role works. That is way too much privilege for a Cloud Build service account, and violates the least-privilege model.

Everything is in the same Google Cloud project.

Anyone know how to troubleshoot this? Or know which role/permission is missing?

ahong
  • 1,041
  • 2
  • 10
  • 22
  • What specific Firebase services are you deploying? Different permissions are needed depending on which. If Cloud Functions, you also need to add the `Cloud Functions Admin` role. – Michael Bleigh Jul 01 '20 at 18:53
  • So far just Firebase Hosting, but it is good to know for functions we need `Cloud Functions Admin`. I tried adding `Firebase Hosting Admin` and it still does not work (I think `Firebase Admin` covered it anyways). – ahong Jul 03 '20 at 12:08
  • Does this answer your question? [What IAM roles are needed for deploying to Firebase Hosting?](https://stackoverflow.com/questions/48381154/what-iam-roles-are-needed-for-deploying-to-firebase-hosting) – Deniss T. Jul 03 '20 at 15:42
  • @DenisT. unfortunately I don't think it does. I've tried the `Firebase Hosting Admin` role which includes the permissions listed on the site and it still does not work. It's possible Firebase did a release and broke their roles. – ahong Jul 05 '20 at 05:27
  • 1
    It seems like there may be an accidental permission expansion happening somewhere. This might be a bug in Firebase Hosting -- can you please [file a bug](https://firebase.google.com/support/troubleshooter/report/bugs) and mention that Michael Bleigh routed you to do so? – Michael Bleigh Jul 06 '20 at 20:23
  • @MichaelBleigh I had already filed a ticket. I just sent a follow up email. – ahong Jul 07 '20 at 04:42

2 Answers2

1

For our project (which uses Firestore, Functions, Hosting, and Storage extensively) here is the list we came up with. Critically I wanted to avoid "Firebase Admin" because I did not want this service account to have access to read/write my Firestore data:

  • Artifact Registry Administrator
  • Cloud Build Service Account
  • Cloud Datastore Index Admin
  • Cloud Functions Admin
  • Cloud RuntimeConfig Admin
  • Cloud Scheduler Admin
  • Firebase Hosting Admin
  • Firebase Rules Admin
  • Pub/Sub Admin
  • Service Account User
Sam Stern
  • 24,624
  • 13
  • 93
  • 124
0

tl;dr seems like it was "an accidental permission expansion" that has been corrected.

I am able restrict the roles to:

  1. Cloud Build Service Account
  2. Firebase Admin
  3. API Keys Admin
ahong
  • 1,041
  • 2
  • 10
  • 22