I am trying to install and uninstall extensions in Firebase, but I am getting a permission denied error. After looking at the logs, it appears Firebase is attempting to use a non-existent service account to enable the needed services. The service account in question is <PROJECT_ID>@cloudservices.gserviceaccount.com. This service account doesn’t exist, and I don’t remember ever deleting it. I tried using the service account undelete API call but get a warning that the service account doesn’t exist.
Can I change which service account is used by Firebase to manage extensions? What do I need to do to get this working?
Update: After doing a little more digging, it is the Service Usage API service that is failing.
3
Answers
I was finally able to find the solution to add the missing service account here: https://stackoverflow.com/a/62655297/3088642. The service account must have been inadvertently delete at some point in the past.
The Service Account most likely exists, it’s just not a service account that you can manage directly or have access to: https://cloud.google.com/compute/docs/access/service-accounts#google_apis_service_agent
Firebase Extensions is not using this service account directly, but some other resources that Extensions are trying to provision or depend on do (ex. Deployment Manager, Cloud Build, GCF, etc.).
Typically, this service account must have pretty broad permissions on your project (at least Editor).
One way to resolve this is to go to https://console.cloud.google.com/iam-admin/iam and grant
<PROJECT_ID>@cloudservices.gserviceaccount.comroleEditor.I also had an issue where the default service account didn’t exist. Turns out the issue was trying to deploy firebase functions that used secrets as the first deploy. I commented out this part of my function:
deployed successfully, and then uncommented it and deployed again.