Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrading firebase-admin requires additional serviceUsageConsumer permissions #2658

Open
IchordeDionysos opened this issue Aug 1, 2024 · 5 comments
Open

Upgrading firebase-admin requires additional serviceUsageConsumer permissions #2658

IchordeDionysos opened this issue Aug 1, 2024 · 5 comments
Assignees
@lahirumaramba
Labels
api: core

Comments

@IchordeDionysos
Copy link
Contributor

[REQUIRED] Step 2: Describe your environment

  • Operating System version: Cloud Functions
  • Firebase SDK version: 12.3.0 (upgrading from 12.1.1)
  • Firebase Product: auth
  • Node.js version: 20
  • NPM version: _____

[REQUIRED] Step 3: Describe the problem

Steps to reproduce:

What happened? How can we make the problem occur?
This could be a description, log/console output, etc.

When upgrading the package, we suddenly get the following error:

Error: //console.developers.google.com/iam-admin/iam/project?project=some-project and then retry. Propagation of the new permission may take a few minutes. Raw server response: "{"error":{"code":403,"message":"Caller does not have required permission to use project some-project. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=some-project and then retry. Propagation of the new permission may take a few minutes.","errors":[{"message":"Caller does not have required permission to use project some-project. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=some-project and then retry. Propagation of the new permission may take a few minutes.","domain":"global","reason":"forbidden"}],"status":"PERMISSION_DENIED","details":[{"@type":"type.googleapis.com/google.rpc.Help","links":[{"description":"Google developer console IAM admin","url":"https://console.developers.google.com/iam-admin/iam/project?project=some-project"}]},{"@type":"type.googleapis.com/google.rpc.ErrorInfo","reason":"USER_PROJECT_DENIED","domain":"googleapis.com","metadata":{"consumer":"projects/simpleclub-stage","service":"identitytoolkit.googleapis.com"}}]}}"
    at FirebaseAuthError.fromServerError (/workspace/node_modules/firebase-admin/lib/utils/error.js:148:16)
    at /workspace/node_modules/firebase-admin/lib/auth/auth-api-request.js:1628:49
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    ...

The service account(s) in question have the following roles (which should be sufficient)?

  • Firebase Authentication Viewer

Relevant Code:

await auth.verifyIdToken(idToken); // this is successful
const user = await auth.getUser(userId); // this is not and fails
@swftvsn
Copy link

swftvsn commented Aug 6, 2024

We also are affected by this - do we really need to grant the service account this additional right or is this a bug?

@IchordeDionysos
Copy link
Contributor Author

Mentioning @jonathanedey @lahirumaramba @egilmorez as you were involved in the PR that I believe to be the suspect of the (for us) breaking change (in a minor version upgrade) ☺️

Would be nice to get some investigation started on why this is now a requirement 😌

@nfanta
Copy link

nfanta commented Aug 6, 2024

We ran into this issue as well, and to narrow it down, we have issues going from 12.1.1 to 12.2.0, I think the issue comes from the changes introduced in #2553

In our case, we have a service account that only have firebaseauth.users.get permissions and it's been working just fine until we tried to update.

@swftvsn
Copy link

swftvsn commented Aug 6, 2024

We ran into this issue as well, and to narrow it down, we have issues going from 12.1.1 to 12.2.0, I think the issue comes from the changes introduced in #2553

In our case, we have a service account that only have firebaseauth.users.get permissions and it's been working just fine until we tried to update.

Makes sense, it probably needs additional rights as now the x-goog-user-project header is sent that previosly wasn't leading to unmentioned (and not needed, from our point of view) required role.

The PR fixes running as person, which requires to specify the project that is used to take the billing (as persons are not billed directly), which requires roles/serviceusage.serviceUsageConsumer.

TL;DR: The perfect implementation would send that header ONLY if ADC is used with a human account.

Seems like this will probably be fixed in #2466, as they mention that #2553 is only a temp fix that will be thrown away when 2466 lands. (Or at that point the role is required anyway as a breaking change.)

Can we get clarification if the role is indeed required eventually anyway so we can add it right away?

@lahirumaramba lahirumaramba self-assigned this Aug 6, 2024
@lahirumaramba
Copy link
Member

Hey folks, @swftvsn's explanation above is correct! The header x-goog-user-project should have been added only for ADC with a human account. For now, adding the role roles/serviceusage.serviceUsageConsumer would be a reasonable compromise as this issue will be correctly addressed in #2466, which will be included in the upcoming major release planned for next month. Thanks!

Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lahirumaramba lahirumaramba

Labels
api: core
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@lahirumaramba @IchordeDionysos @nfanta @swftvsn @google-oss-bot