Firebase hosting deploy with serviceaccount fails with 403

Question

I'm trying to deploy a Firebase hosted project with a Service Account (that I created myself, not one provided by Google/Firebase as default) via a pipeline (Gitlab, but that shouldn't matter for this issue).

When I run the following command locally (same happens in the pipeline):

GOOGLE_APPLICATION_CREDENTIALS="/path/to/serviceaccount.json" firebase deploy --only hosting

I'm getting the following error:

=== Deploying to 'my-firebase-project'...

i  deploying hosting

Error: HTTP Error: 403, The caller does not have permission

The --debug does not provide any more details, other than the 403. I've set the following roles to the serviceaccount:

• Firebase Hosting Admin
• Firebase Rules Admin
• API keys viewer

Deploying the rules (using --only firestore) works without issues. I've read the documentation about the roles of Firebase hosting, but assigning these don't work either.

Does anyone know which roles I'm missing?

Note: a service account is used here to do a deployment, so any firebase login / firebase logout actions won't have any effect. See Login to firebase using gcloud service account for details.

Answer 1

With the help of Firebase support, I was pointed to the Deploying to Firebase page, which provides an enumeration of all required roles. To sum it up here:

1. Cloud Build Service Account
2. Firebase Admin
3. API Keys Admin

I was missing the first one, which resulted in this error. Hope that this'll help others as well!

Answer 2

You have to add the role at the cluster level using oadm policy add-cluster-role-to-user cluster-reader system:serviceaccount:myproject:default