Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrading firebase-admin requires additional serviceUsageConsumer permissions #2658

Closed
IchordeDionysos opened this issue Aug 1, 2024 · 11 comments · Fixed by #2761
Closed
Assignees

Comments

@IchordeDionysos
Copy link
Contributor

[REQUIRED] Step 2: Describe your environment

  • Operating System version: Cloud Functions
  • Firebase SDK version: 12.3.0 (upgrading from 12.1.1)
  • Firebase Product: auth
  • Node.js version: 20
  • NPM version: _____

[REQUIRED] Step 3: Describe the problem

Steps to reproduce:

What happened? How can we make the problem occur?
This could be a description, log/console output, etc.

When upgrading the package, we suddenly get the following error:

Error: //console.developers.google.com/iam-admin/iam/project?project=some-project and then retry. Propagation of the new permission may take a few minutes. Raw server response: "{"error":{"code":403,"message":"Caller does not have required permission to use project some-project. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=some-project and then retry. Propagation of the new permission may take a few minutes.","errors":[{"message":"Caller does not have required permission to use project some-project. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=some-project and then retry. Propagation of the new permission may take a few minutes.","domain":"global","reason":"forbidden"}],"status":"PERMISSION_DENIED","details":[{"@type":"type.googleapis.com/google.rpc.Help","links":[{"description":"Google developer console IAM admin","url":"https://console.developers.google.com/iam-admin/iam/project?project=some-project"}]},{"@type":"type.googleapis.com/google.rpc.ErrorInfo","reason":"USER_PROJECT_DENIED","domain":"googleapis.com","metadata":{"consumer":"projects/simpleclub-stage","service":"identitytoolkit.googleapis.com"}}]}}"
    at FirebaseAuthError.fromServerError (/workspace/node_modules/firebase-admin/lib/utils/error.js:148:16)
    at /workspace/node_modules/firebase-admin/lib/auth/auth-api-request.js:1628:49
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    ...

The service account(s) in question have the following roles (which should be sufficient)?

  • Firebase Authentication Viewer

Relevant Code:

await auth.verifyIdToken(idToken); // this is successful
const user = await auth.getUser(userId); // this is not and fails
@swftvsn
Copy link

swftvsn commented Aug 6, 2024

We also are affected by this - do we really need to grant the service account this additional right or is this a bug?

@IchordeDionysos
Copy link
Contributor Author

Mentioning @jonathanedey @lahirumaramba @egilmorez as you were involved in the PR that I believe to be the suspect of the (for us) breaking change (in a minor version upgrade) ☺️

Would be nice to get some investigation started on why this is now a requirement 😌

@nfanta
Copy link

nfanta commented Aug 6, 2024

We ran into this issue as well, and to narrow it down, we have issues going from 12.1.1 to 12.2.0, I think the issue comes from the changes introduced in #2553

In our case, we have a service account that only have firebaseauth.users.get permissions and it's been working just fine until we tried to update.

@swftvsn
Copy link

swftvsn commented Aug 6, 2024

We ran into this issue as well, and to narrow it down, we have issues going from 12.1.1 to 12.2.0, I think the issue comes from the changes introduced in #2553

In our case, we have a service account that only have firebaseauth.users.get permissions and it's been working just fine until we tried to update.

Makes sense, it probably needs additional rights as now the x-goog-user-project header is sent that previosly wasn't leading to unmentioned (and not needed, from our point of view) required role.

The PR fixes running as person, which requires to specify the project that is used to take the billing (as persons are not billed directly), which requires roles/serviceusage.serviceUsageConsumer.

TL;DR: The perfect implementation would send that header ONLY if ADC is used with a human account.

Seems like this will probably be fixed in #2466, as they mention that #2553 is only a temp fix that will be thrown away when 2466 lands. (Or at that point the role is required anyway as a breaking change.)

Can we get clarification if the role is indeed required eventually anyway so we can add it right away?

@lahirumaramba lahirumaramba self-assigned this Aug 6, 2024
@lahirumaramba
Copy link
Member

Hey folks, @swftvsn's explanation above is correct! The header x-goog-user-project should have been added only for ADC with a human account. For now, adding the role roles/serviceusage.serviceUsageConsumer would be a reasonable compromise as this issue will be correctly addressed in #2466, which will be included in the upcoming major release planned for next month. Thanks!

@xhuberdeau
Copy link

Hello, any news about this issue? Has it been solved in a new release? Thanks.

@j1mmie
Copy link

j1mmie commented Oct 15, 2024

The header x-goog-user-project should have been added only for ADC with a human account.

@lahirumaramba, could you please clarify - By should have been, do you mean that the 12.x major releases have a bug where this header is mistakenly added for all accounts (human, service, or otherwise)?

Will this issue only be resolved in the upcoming major release (version 13)?

@stanbar
Copy link

stanbar commented Oct 30, 2024

I have the same problem. I managed to fix the problem by downgrading firebase-admin to

  "dependencies": {
    "firebase-admin": "^11.11.1",
    "@google-cloud/storage": "^6.9.5",

@lahirumaramba
Copy link
Member

lahirumaramba commented Nov 7, 2024

Hey folks thank you for your patience on this. Since we completed the credential migration work in #2466 I have submitted #2761 to fix the quota project issue. We will include the fix in the release next week.

@anjerodev
Copy link

Hi! I’ve noticed that this issue persists with all firebase-admin versions above 12.7.0. The only solution I’ve found so far is to downgrade firebase-admin from version 13.0.x back to 12.7.0.

@lahirumaramba
Copy link
Member

This issue should be fixed in v13+. Please open a new issue if you are still having problems with the serviceUsageConsumer role. Please provide any logs, errors, or a minimal repro if you can.

@firebase firebase locked as resolved and limited conversation to collaborators Dec 20, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

9 participants