Service Usage Consumer Role breaks user account access

[rosera]

Environment info

firebase-tools:
firebase cli v13.8.0

Debian v12

Platform:
Google CloudShell
firebase cli v13.8.0 and gcloud SDK v475.0.0

Test case

Testing

Tests were conducted using firebase cli v13.8.0 and gcloud SDK v475.0.0.

• Pass: The service account was able to access the firebase project as the correct permission appears to be available.
• Fail: The user account is unable to access the firebase project. I have provided the error log below.

Steps to reproduce

In testing, I used both a user account (on CloudShell - Debian 12) and a service account (via GCE instance Debian 12).

The test project includes a Firebase project accessed from Google Cloud Shell. The Firebase project features a Firestore database. Logging into the project was successful, however I was unable to access any services e.g.:

• projects:list - see output below:
• set up a firestore rules - same error relating to the service account

Expected behavior

Facing issues when using a user account to access Firebase using the CLI tool. I believe the issue relates to the below PR.

Ref: PR

Both user and service accounts should be able to access the firebase project services when using only the roles/firebase.admin permission.

Actual behavior

When using CloudShell on Google Cloud, where the user account has been given roles/firebase.admin permission. Previously this has been working since the end of 2023 deployment in a lab delivered on the CloudSkillsBoost site.

The internal link for this is b/341023115

After the above some recent changes to Firebase cli, the user account with roles/firebase.admin is no longer able to access Firebase projects using the cli tool. The response indicates an additional service account permission is required (i.e. roles/serviceusage.serviceUsageConsumer).

I believe the relevant change is here: PR.

Error Log

I have the following information from firebase-debug-log:

[debug] [2024-05-22T09:44:10.933Z] ----------------------------------------------------------------------
[debug] [2024-05-22T09:44:10.935Z] Command:       /usr/local/nvm/versions/node/v20.13.0/bin/node /usr/local/nvm/versions/node/v20.13.0/bin/firebase projects:list
[debug] [2024-05-22T09:44:10.936Z] CLI Version:   13.8.0
[debug] [2024-05-22T09:44:10.936Z] Platform:      linux
[debug] [2024-05-22T09:44:10.936Z] Node Version:  v20.13.0
[debug] [2024-05-22T09:44:10.936Z] Time:          Wed May 22 2024 09:44:10 GMT+0000 (Coordinated Universal Time)
[debug] [2024-05-22T09:44:10.936Z] ----------------------------------------------------------------------
[debug]
[debug] [2024-05-22T09:44:10.950Z] > command requires scopes: ["email","openid","https://www.googleapis.com/auth/cloudplatformprojects.readonly","https://www.googleapis.com/auth/firebase","https://www.googleapis.com/auth/cloud-platform"]
[debug] [2024-05-22T09:44:10.951Z] > authorizing via signed-in user ([student-02-dc607bdcab12@qwiklabs.net](mailto:student-02-dc607bdcab12@qwiklabs.net))
[debug] [2024-05-22T09:44:10.959Z] >>> [apiv2][query] GET https://firebase.googleapis.com/v1beta1/projects pageSize=1000
[debug] [2024-05-22T09:44:11.336Z] <<< [apiv2][status] GET https://firebase.googleapis.com/v1beta1/projects 403
[debug] [2024-05-22T09:44:11.337Z] <<< [apiv2][body] GET https://firebase.googleapis.com/v1beta1/projects [omitted]
[debug] [2024-05-22T09:44:11.338Z] HTTP Error: 403, Caller does not have required permission to use project qwiklabs-gcp-01-c80f0bc444a8. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=qwiklabs-gcp-01-c80f0bc444a8 and then retry. Propagation of the new permission may take a few minutes.
[debug] [2024-05-22T09:44:11.340Z] FirebaseError: HTTP Error: 403, Caller does not have required permission to use project qwiklabs-gcp-01-c80f0bc444a8. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=qwiklabs-gcp-01-c80f0bc444a8 and then retry. Propagation of the new permission may take a few minutes.
    at responseToError (/usr/local/nvm/versions/node/v20.13.0/lib/node_modules/firebase-tools/lib/responseToError.js:49:12)
    at RetryOperation._fn (/usr/local/nvm/versions/node/v20.13.0/lib/node_modules/firebase-tools/lib/apiv2.js:305:77)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
[error]
[error] Error: Failed to list Firebase projects. See firebase-debug.log for more info.

[aalej]

Hey @rosera, sorry to hear you encountered this issue, and thanks for the detailed report. Just to verify, are you setting the environment variable GOOGLE_CLOUD_QUOTA_PROJECT(I think on Google Cloud Shell it’s set by default)? If so, could you try temporarily unsetting the variable before running the firebase commands to see if there would be any changes in the behavior?

I’m trying to replicate this locally, but so far I’m only able to reproduce the issue if GOOGLE_CLOUD_QUOTA_PROJECT is set. Just to note, I’m running this on a macOS instead of the Google Cloud Shell.

[rosera]

Hi @aalej ,

Checking the environment variable GOOGLE_CLOUD_QUOTA_PROJECT it contains the project_id.

Testing

• With GOOGLE_CLOUD_QUOTA_PROJECT value set, the error reported is displayed.
• Removing the GOOGLE_CLOUD_QUOTA_PROJECT value, the projects list is displayed (No error).

I checked the above using the Qwiklabs environment and my personal account and both populate the GOOGLE_CLOUD_QUOTA_PROJECT varible with the project_id by default.

[aalej]

Thanks for verifying @rosera. I’ll raise this to our engineering team to see what we could do to address this issue. I’ll also mark this as reproducible.

[rosera]

@aalej @joehan Are there any updates that can be shared for this issue?

[ricardograca-scratch]

I think I'm having this same issue in GKE when using a service account for the application and a separate one from a different project for a very specific Firebase API call. In that case I also get the same error message:

Caller does not have required permission to use project <redacted>. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=<redacted> and then retry. Propagation of the new permission may take a few minutes.

Granting the roles/serviceusage.serviceUsageConsumer to the application service account on the target project fixed it.

This happened after upgrading firebase-admin from 12.1.1 to 12.3.1.

Found the actual issue, sorry for the spam.

[joehan]

Thanks for digging into the real cause of this @ricardograca-scratch. Making a note here to remind us to update to the next major version of firebase-admin as soon as its available.

[rosera]

I'd like to get some clarity on which release will address this issue. The original comment mentioned the permission roles/serviceusage.serviceUsageConsumer and referenced a related PR.
We're looking to understand the timeline for the release such that the firebase.admin role provides the appropriate permission.

[GiuSantos0]

Hi everyone! Sorry for repeating the response, but I'm adding this comment to make it clearer for those who encountered the same issue.

I faced the issue while trying to create a Cloud Function that adds custom claims to Firebase Auth. The logs were consistently showing this error message:

Caller does not have required permission to use project <project_id>. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=<project_id> and then retry. Propagation of the new permission may take a few minutes. Raw server response: "{"error":{"code":403,"message":"Caller does not have required permission to use project <project_id>. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission."

I spent hours searching for documentation on this issue, but there was no clear guidance on how to resolve it, and no mention of needing to add a specific environment variable.

After trial and error, I found this issue and I managed to fix the issue by adding the following environment variable to my Cloud Function configuration:

GOOGLE_CLOUD_QUOTA_PROJECT=<project_id>
This allowed the function to operate within the correct project quotas and avoid the permission-related errors.

To resolve the issue, you can:

• Go to Google Cloud Console.
• Navigate to Cloud Functions.
• Select the function you're deploying.
• Click in edit
• Add the GOOGLE_CLOUD_QUOTA_PROJECT environment variable with your project ID.
• Test the function again

This was the missing piece for me

Ei@rosera, lamento saber que você encontrou esse problema e obrigado pelo relatório detalhado. Só para verificar, você está definindo a variável de ambiente GOOGLE_CLOUD_QUOTA_PROJECT(acho que no Google Cloud Shell ela é definida por padrão)? Se sim, você poderia tentar temporariamente desconfigurar a variável antes de executar os comandos do firebase para ver se haveria alguma mudança no comportamento?

Estou tentando replicar isso localmente, mas até agora só consigo reproduzir o problema se GOOGLE_CLOUD_QUOTA_PROJECTestiver definido. Só para observar, estou executando isso em um macOS em vez do Google Cloud Shell.