1

I am trying to install and uninstall extensions in Firebase, but I am getting a permission denied error. After looking at the logs, it appears Firebase is attempting to use a non-existent service account to enable the needed services. The service account in question is <PROJECT_ID>@cloudservices.gserviceaccount.com. This service account doesn't exist, and I don't remember ever deleting it. I tried using the service account undelete API call but get a warning that the service account doesn't exist.

Can I change which service account is used by Firebase to manage extensions? What do I need to do to get this working?

Update: After doing a little more digging, it is the Service Usage API service that is failing.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Gremash
  • 8,158
  • 6
  • 30
  • 44

3 Answers3

2

The Service Account most likely exists, it's just not a service account that you can manage directly or have access to: https://cloud.google.com/compute/docs/access/service-accounts#google_apis_service_agent

Firebase Extensions is not using this service account directly, but some other resources that Extensions are trying to provision or depend on do (ex. Deployment Manager, Cloud Build, GCF, etc.).

Typically, this service account must have pretty broad permissions on your project (at least Editor).

One way to resolve this is to go to https://console.cloud.google.com/iam-admin/iam and grant <PROJECT_ID>@cloudservices.gserviceaccount.com role Editor.

pavelgj
  • 2,246
  • 11
  • 13
  • No, the service account did not exist. It was the `Service Agent API` that was failing as noted above. So you are correct in that Firebase Extensions was not failing directly. I was finally able to find the solution to recreate the missing service account here: https://stackoverflow.com/a/62655297/3088642. It must have been deleted by someone unintentionally. – Gremash Dec 09 '22 at 17:17
  • Problem with terminology: the service account exists, but the IAM policy binding for that service account in your project doesn't. The referenced solution does exactly what I said, it grants `@cloudservices.gserviceaccount.com` role Editor in your project (i.e. adds an IAM policy binding). – pavelgj Dec 10 '22 at 19:13
  • The service account did not exist in the GCP console. I am using several GCP tools including BigQuery, Identity Platform, PubSub, Compute Engine, etc. I do 90% of admin through GCP console, not Firebase. I created a couple of other service accounts as well. The service account was not listed in IAM or the service accounts list. Does GCP somehow hide service accounts? I found the service account it was trying to use by which service in Stackdriver logging. – Gremash Dec 12 '22 at 17:19
0

I was finally able to find the solution to add the missing service account here: https://stackoverflow.com/a/62655297/3088642. The service account must have been inadvertently delete at some point in the past.

Gremash
  • 8,158
  • 6
  • 30
  • 44
0

I also had an issue where the default service account didn't exist. Turns out the issue was trying to deploy firebase functions that used secrets as the first deploy. I commented out this part of my function:

runWith({ secrets: ["KEY_NAME"] })

deployed successfully, and then uncommented it and deployed again.

Cameron Ketcham
  • 7,966
  • 2
  • 28
  • 27