8000 Authenticating with GOOGLE_APPLICATION_CREDENTIALS broken · Issue #8519 · firebase/firebase-tools · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Authenticating with GOOGLE_APPLICATION_CREDENTIALS broken #8519

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
axelcarl opened this issue May 8, 2025 · 9 comments · Fixed by #8531
Closed

Authenticating with GOOGLE_APPLICATION_CREDENTIALS broken #8519

axelcarl opened this issue May 8, 2025 · 9 comments · Fixed by #8531
Assignees
@joehan
Labels
api: core type: bug

Comments

@axelcarl
Copy link
axelcarl commented May 8, 2025
edited
Loading

[REQUIRED] Environment info

firebase-tools: 14.3.0

Platform: macOS & linux amd64 (gitlab ci-pipeline)

[REQUIRED] Test case

export GOOGLE_APPLICATION_CREDENTIALS=$<credentials>
firebase use <alias from firebaserc>

[REQUIRED] Steps to reproduce

Export valid credentials within a terminal session, then try to run firebase use.

[REQUIRED] Expected behavior

# Given that the credentials are valid:
Now using alias <alias> (project)

[REQUIRED] Actual behavior

Debug output:

[2025-05-08T15:18:47.133Z] No OAuth tokens found
[2025-05-08T15:18:47.134Z] No OAuth tokens found
[2025-05-08T15:18:47.134Z] > refreshing access token with scopes: []
[2025-05-08T15:18:47.134Z] >>> [apiv2][query] POST https://www.googleapis.com/oauth2/v3/token [none]
[2025-05-08T15:18:47.134Z] >>> [apiv2][body] POST https://www.googleapis.com/oauth2/v3/token [omitted]
[2025-05-08T15:18:47.305Z] <<< [apiv2][status] POST https://www.googleapis.com/oauth2/v3/token 400
[2025-05-08T15:18:47.305Z] <<< [apiv2][body] POST https://www.googleapis.com/oauth2/v3/token [omitted]
... logs referencing project...
[2025-05-08T15:18:48.025Z] Got a 401 Unauthenticated error for a call that required authentication. Refreshing tokens.
[2025-05-08T15:18:48.026Z] No OAuth tokens found
[2025-05-08T15:18:48.026Z] No OAuth tokens found
[2025-05-08T15:18:48.026Z] > refreshing access token with scopes: []
[2025-05-08T15:18:48.027Z] >>> [apiv2][query] POST https://www.googleapis.com/oauth2/v3/token [none]
[2025-05-08T15:18:48.027Z] >>> [apiv2][body] POST https://www.googleapis.com/oauth2/v3/token [omitted]
[2025-05-08T15:18:48.074Z] <<< [apiv2][status] POST https://www.googleapis.com/oauth2/v3/token 400
[2025-05-08T15:18:48.074Z] <<< [apiv2][body] POST https://www.googleapis.com/oauth2/v3/token [omitted]

Error: Invalid project selection, please verify project staging exists and you have access.

Confirmed that it works on 14.2.x.
@github-project-automation github-project-automation bot moved this to Needs Acknowledgment in [Cloud] Extensions + Functions May 8, 2025
@aalej aalej added the api: core label May 8, 2025
@joehan joehan self-assigned this May 8, 2025
@joehan
Copy link
Contributor
joehan commented May 8, 2025
edited
Loading

Hey @axelcarl - sorry to heat that your running into issues. I've tried to repro this on my end with a valid service account key, and I'm not seeing the same issues:

firebase use prod --debug
[2025-05-08T17:20:18.915Z] > command requires scopes: ["email","openid","https://www.googleapis.com/auth/cloudplatformprojects.readonly","https://www.googleapis.com/auth/firebase","https://www.googleapis.com/auth/cloud-platform"]
[2025-05-08T17:20:19.004Z] Running auto auth
[2025-05-08T17:20:19.005Z] No OAuth tokens found
[2025-05-08T17:20:19.006Z] >>> [apiv2][query] GET https://serviceusage.googleapis.com/v1/projects/joehanley-public/services/cloudresourcemanager.googleapis.com [none]
[2025-05-08T17:20:19.006Z] >>> [apiv2][(partial)header] GET https://serviceusage.googleapis.com/v1/projects/joehanley-public/services/cloudresourcemanager.googleapis.com x-goog-quota-user=projects/joehanley-public
[2025-05-08T17:20:19.255Z] <<< [apiv2][status] GET https://serviceusage.googleapis.com/v1/projects/joehanley-public/services/cloudresourcemanager.googleapis.com 200
[2025-05-08T17:20:19.256Z] <<< [apiv2][body] GET https://serviceusage.googleapis.com/v1/projects/joehanley-public/services/cloudresourcemanager.googleapis.com [omitted]
[2025-05-08T17:20:19.256Z] No OAuth tokens found
[2025-05-08T17:20:19.257Z] >>> [apiv2][query] GET https://cloudresourcemanager.googleapis.com/v1/projects/joehanley-public [none]
[2025-05-08T17:20:19.422Z] <<< [apiv2][status] GET https://cloudresourcemanager.googleapis.com/v1/projects/joehanley-public 200
[2025-05-08T17:20:19.424Z] <<< [apiv2][body] GET https://cloudresourcemanager.googleapis.com/v1/projects/joehanley-public REDACTED
Now using alias prod (joehanley-public)

I'm surprised that the 'Running auto auth' log is not appearing in your logs. Are the logs you shared the full logs? If not, could you share the full debug log?

@axelcarl
Copy link
Author
axelcarl commented May 9, 2025

Hey @axelcarl - sorry to heat that your running into issues. I've tried to repro this on my end with a valid service account key, and I'm not seeing the same issues:

firebase use prod --debug
[2025-05-08T17:20:18.915Z] > command requires scopes: ["email","openid","https://www.googleapis.com/auth/cloudplatformprojects.readonly","https://www.googleapis.com/auth/firebase","https://www.googleapis.com/auth/cloud-platform"]
[2025-05-08T17:20:19.004Z] Running auto auth
[2025-05-08T17:20:19.005Z] No OAuth tokens found
[2025-05-08T17:20:19.006Z] >>> [apiv2][query] GET https://serviceusage.googleapis.com/v1/projects/joehanley-public/services/cloudresourcemanager.googleapis.com [none]
[2025-05-08T17:20:19.006Z] >>> [apiv2][(partial)header] GET https://serviceusage.googleapis.com/v1/projects/joehanley-public/services/cloudresourcemanager.googleapis.com x-goog-quota-user=projects/joehanley-public
[2025-05-08T17:20:19.255Z] <<< [apiv2][status] GET https://serviceusage.googleapis.com/v1/projects/joehanley-public/services/cloudresourcemanager.googleapis.com 200
[2025-05-08T17:20:19.256Z] <<< [apiv2][body] GET https://serviceusage.googleapis.com/v1/projects/joehanley-public/services/cloudresourcemanager.googleapis.com [omitted]
[2025-05-08T17:20:19.256Z] No OAuth tokens found
[2025-05-08T17:20:19.257Z] >>> [apiv2][query] GET https://cloudresourcemanager.googleapis.com/v1/projects/joehanley-public [none]
[2025-05-08T17:20:19.422Z] <<< [apiv2][status] GET https://cloudresourcemanager.googleapis.com/v1/projects/joehanley-public 200
[2025-05-08T17:20:19.424Z] <<< [apiv2][body] GET https://cloudresourcemanager.googleapis.com/v1/projects/joehanley-public REDACTED
Now using alias prod (joehanley-public)

I'm surprised that the 'Running auto auth' log is not appearing in your logs. Are the logs you shared the full logs? If not, could you share the full debug log?

Here's the full debug log:

[2025-05-08T15:18:47.133Z] No OAuth tokens found
[2025-05-08T15:18:47.134Z] No OAuth tokens found
[2025-05-08T15:18:47.134Z] > refreshing access token with scopes: []
[2025-05-08T15:18:47.134Z] >>> [apiv2][query] POST https://www.googleapis.com/oauth2/v3/token [none]
[2025-05-08T15:18:47.134Z] >>> [apiv2][body] POST https://www.googleapis.com/oauth2/v3/token [omitted]
[2025-05-08T15:18:47.305Z] <<< [apiv2][status] POST https://www.googleapis.com/oauth2/v3/token 400
[2025-05-08T15:18:47.305Z] <<< [apiv2][body] POST https://www.googleapis.com/oauth2/v3/token [omitted]
[2025-05-08T15:18:47.306Z] >>> [apiv2][query] GET https://serviceusage.googleapis.com/v1/projects/<my-project>/services/cloudresourcemanager.googleapis.com [none]
[2025-05-08T15:18:47.306Z] >>> [apiv2][(partial)header] GET https://serviceusage.googleapis.com/v1/projects/<my-project>/services/cloudresourcemanager.googleapis.com x-goog-quota-user=projects/<my-project>
[2025-05-08T15:18:48.025Z] <<< [apiv2][status] GET https://serviceusage.googleapis.com/v1/projects/<my-project>/services/cloudresourcemanager.googleapis.com 401
[2025-05-08T15:18:48.025Z] <<< [apiv2][body] GET https://serviceusage.googleapis.com/v1/projects/<my-project>/services/cloudresourcemanager.googleapis.com [omitted]
[2025-05-08T15:18:48.025Z] Got a 401 Unauthenticated error for a call that required authentication. Refreshing tokens.
[2025-05-08T15:18:48.026Z] No OAuth tokens found
[2025-05-08T15:18:48.026Z] No OAuth tokens found
[2025-05-08T15:18:48.026Z] > refreshing access token with scopes: []
[2025-05-08T15:18:48.027Z] >>> [apiv2][query] POST https://www.googleapis.com/oauth2/v3/token [none]
[2025-05-08T15:18:48.027Z] >>> [apiv2][body] POST https://www.googleapis.com/oauth2/v3/token [omitted]
[2025-05-08T15:18:48.074Z] <<< [apiv2][status] POST https://www.googleapis.com/oauth2/v3/token 400
[2025-05-08T15:18:48.074Z] <<< [apiv2][body] POST https://www.googleapis.com/oauth2/v3/token [omitted]

Error: Invalid project selection, please verify project staging exists and you have access.

Had to use the --token as im logged in to firebase (and it would therefore work without using that deprecated flag). I am however getting the same error in my ci-pipeline without the --token flag (that's were I found the issue in the first place). Downgrading to 14.2.x fixes the issue in the ci-pipeline and locally.

@MaxStaszkiewicz
Copy link

Please fix this made my IT startup have 5 hour downtime

@thomas-mailmeteor
Copy link

Hello, same here: our CI using the GOOGLE_APPLICATION_CREDENTIALS environment variable started failing when using 14.3.0 with this error.

Error: Invalid project selection, please verify project <project-name> exists and you have access.

Rolling back to 14.2.x fixed the issue.

@aalej
Copy link
Contributor
aalej commented May 9, 2025

Hey folks, apologies for the issue this has caused. We’ve been trying to reproduce this issue but so far we haven't been able to replicate the error.

I’ve tried to replicate the issue both locally and with GitHub Actions, but no errors have been raised. Here’s the mcve, could anyone let me know if I may be missing something here?

I’m getting the following debug logs when running firebase use staging:

2025-05-09T11:09:36.931Z] > command requires scopes: ["email","openid","https://www.googleapis.com/auth/cloudplatformprojects.readonly","https://www.googleapis.com/auth/firebase","https://www.googleapis.com/auth/cloud-platform"]
[2025-05-09T11:09:37.056Z] <<< [apiv2][status] GET https://firebase-public.firebaseio.com/cli.json 200
[2025-05-09T11:09:37.057Z] <<< [apiv2][body] GET https://firebase-public.firebaseio.com/cli.json ***"cloudBuildErrorAfter":1594252800000,"cloudBuildWarnAfter":1590019200000,"defaultNode10After":1594252800000,"minVersion":"3.0.5","node8DeploysDisabledAfter":1613390400000,"node8RuntimeDisabledAfter":1615809600000,"node8WarnAfter":1600128000000***
[2025-05-09T11:09:42.029Z] Running auto auth
[2025-05-09T11:09:42.030Z] No OAuth tokens found
[2025-05-09T11:09:42.030Z] >>> [apiv2][query] GET https://serviceusage.googleapis.com/v1/projects/tools-8519-staging/services/cloudresourcemanager.googleapis.com [none]
[2025-05-09T11:09:42.030Z] >>> [apiv2][(partial)header] GET https://serviceusage.googleapis.com/v1/projects/tools-8519-staging/services/cloudresourcemanager.googleapis.com x-goog-quota-user=projects/tools-8519-staging
[2025-05-09T11:09:42.307Z] <<< [apiv2][status] GET https://serviceusage.googleapis.com/v1/projects/tools-8519-staging/services/cloudresourcemanager.googleapis.com 200
[2025-05-09T11:09:42.307Z] <<< [apiv2][body] GET https://serviceusage.googleapis.com/v1/projects/tools-8519-staging/services/cloudresourcemanager.googleapis.com [omitted]
[2025-05-09T11:09:42.308Z] No OAuth tokens found
[2025-05-09T11:09:42.308Z] >>> [apiv2][query] GET https://cloudresourcemanager.googleapis.com/v1/projects/tools-8519-staging [none]
[2025-05-09T11:09:42.526Z] <<< [apiv2][status] GET https://cloudresourcemanager.googleapis.com/v1/projects/tools-8519-staging 200
[2025-05-09T11:09:42.526Z] <<< [apiv2][body] GET https://cloudresourcemanager.googleapis.com/v1/projects/tools-8519-staging ***"projectNumber":"783764124803","projectId":"tools-8519-staging","lifecycleState":"ACTIVE","name":"tools-8519-staging","labels":***"firebase":"enabled","firebase-core":"disabled"***,"createTime":"2025-05-09T10:20:05.549306Z"***
Now using alias staging (tools-8519-staging)

The above shows the ‘Running auto auth’ logs, which is similar to what @joehan observed. At the moment, it’s still difficult to determine what exactly is causing the error. Could y'all share your debug logs to help us further investigate?

Could you also share your .firebaserc so we can check how it’s set up. Please omit project IDs before sharing. The file contents should look something like:

{
  "projects": {
    "default": "PROJECT_ID_PROD",
    "staging": "PROJECT_ID_STAGING"
  }
}

@thomas-mailmeteor
Copy link

Hi @aalej, thanks for investigating :)

In your repro you did not use the GOOGLE_APPLICATION_CREDENTIALS environment variable (documented here) but the google-github-actions/auth@v2 Github action to authenticate the commands of firebase-tools.
In our case (and probably other persons having the same issue) we're not using it but specifying the path to our service-account file in GOOGLE_APPLICATION_CREDENTIALS.

I can easily reproduce this locally to compare the behavior of firebase-tools 14.2.2 and 14.3.0.

  • Using 14.2.2
> firebase use <project_id>

Error: Failed to authenticate, have you run firebase login?

> GOOGLE_APPLICATION_CREDENTIALS="service_account.json" firebase use <project_id>
Now using project <project_id>
  • Using 14.3.0
> firebase use <project_id>

Error: Failed to authenticate, have you run firebase login?

> GOOGLE_APPLICATION_CREDENTIALS="service_account.json" firebase use <project_id>

Error: Invalid project selection, please verify project <project_id> exists and you have access.

Having trouble? Try firebase [command] --help

And with the debug logs using 14.2.2

> GOOGLE_APPLICATION_CREDENTIALS="service_account.json" firebase use <project_id> --debug
[2025-05-09T13:30:04.056Z] > command requires scopes: ["email","openid","https://www.googleapis.com/auth/cloudplatformprojects.readonly","https://www.googleapis.com/auth/firebase","https://www.googleapis.com/auth/cloud-platform"]
[2025-05-09T13:30:04.173Z] Running auto auth
[2025-05-09T13:30:04.174Z] No OAuth tokens found
[2025-05-09T13:30:04.174Z] >>> [apiv2][query] GET https://cloudresourcemanager.googleapis.com/v1/projects/<project_id> [none]
[2025-05-09T13:30:04.949Z] <<< [apiv2][status] GET https://cloudresourcemanager.googleapis.com/v1/projects/<project_id> 200
[2025-05-09T13:30:04.949Z] <<< [apiv2][body] GET https://cloudresourcemanager.googleapis.com/v1/projects/<project_id> {"projectNumber":"<project_number>","projectId":"<project_id>","lifecycleState":"ACTIVE","name":"<project_name>","labels":{"firebase":"enabled"},"createTime":"2018-12-21T10:08:19.520Z","parent":{"type":"organization","id":"<org_id>"}}
Now using project <project_id>

and using 14.3.0

> GOOGLE_APPLICATION_CREDENTIALS="service_account.json" firebase use <project_id> --debug
[2025-05-09T13:28:45.867Z] > command requires scopes: ["email","openid","https://www.googleapis.com/auth/cloudplatformprojects.readonly","https://www.googleapis.com/auth/firebase","https://www.googleapis.com/auth/cloud-platform"]
[2025-05-09T13:28:45.987Z] Running auto auth
[2025-05-09T13:28:45.988Z] No OAuth tokens found
[2025-05-09T13:28:45.988Z] >>> [apiv2][query] GET https://serviceusage.googleapis.com/v1/projects/<project_id>/services/cloudresourcemanager.googleapis.com [none]
[2025-05-09T13:28:45.988Z] >>> [apiv2][(partial)header] GET https://serviceusage.googleapis.com/v1/projects/<project_id>/services/cloudresourcemanager.googleapis.com x-goog-quota-user=projects/<project_id>
[2025-05-09T13:28:46.793Z] <<< [apiv2][status] GET https://serviceusage.googleapis.com/v1/projects/<project_id>/services/cloudresourcemanager.googleapis.com 403
[2025-05-09T13:28:46.793Z] <<< [apiv2][body] GET https://serviceusage.googleapis.com/v1/projects/<project_id>/services/cloudresourcemanager.googleapis.com [omitted]

Error: Invalid project selection, please verify project <project_id> exists and you have access.

Having trouble? Try firebase [command] --help

And finally our .firebaserc

{
  "projects": {
    "<id1_alias>": "<project_id1>",
    "<id2_alias>": "<project_id2>",
    "default": "<project_id1>"
  }
}

@axelcarl
Copy link
Author
axelcarl commented May 9, 2025
edited
Loading

Hey folks, apologies for the issue this has caused. We’ve been trying to reproduce this issue but so far we haven't been able to replicate the error.

I’ve tried to replicate the issue both locally and with GitHub Actions, but no errors have been raised. Here’s the mcve, could anyone let me know if I may be missing something here?

I’m getting the following debug logs when running firebase use staging:

2025-05-09T11:09:36.931Z] > command requires scopes: ["email","openid","https://www.googleapis.com/auth/cloudplatformprojects.readonly","https://www.googleapis.com/auth/firebase","https://www.googleapis.com/auth/cloud-platform"]
[2025-05-09T11:09:37.056Z] <<< [apiv2][status] GET https://firebase-public.firebaseio.com/cli.json 200
[2025-05-09T11:09:37.057Z] <<< [apiv2][body] GET https://firebase-public.firebaseio.com/cli.json ***"cloudBuildErrorAfter":1594252800000,"cloudBuildWarnAfter":1590019200000,"defaultNode10After":1594252800000,"minVersion":"3.0.5","node8DeploysDisabledAfter":1613390400000,"node8RuntimeDisabledAfter":1615809600000,"node8WarnAfter":1600128000000***
[2025-05-09T11:09:42.029Z] Running auto auth
[2025-05-09T11:09:42.030Z] No OAuth tokens found
[2025-05-09T11:09:42.030Z] >>> [apiv2][query] GET https://serviceusage.googleapis.com/v1/projects/tools-8519-staging/services/cloudresourcemanager.googleapis.com [none]
[2025-05-09T11:09:42.030Z] >>> [apiv2][(partial)header] GET https://serviceusage.googleapis.com/v1/projects/tools-8519-staging/services/cloudresourcemanager.googleapis.com x-goog-quota-user=projects/tools-8519-staging
[2025-05-09T11:09:42.307Z] <<< [apiv2][status] GET https://serviceusage.googleapis.com/v1/projects/tools-8519-staging/services/cloudresourcemanager.googleapis.com 200
[2025-05-09T11:09:42.307Z] <<< [apiv2][body] GET https://serviceusage.googleapis.com/v1/projects/tools-8519-staging/services/cloudresourcemanager.googleapis.com [omitted]
[2025-05-09T11:09:42.308Z] No OAuth tokens fo
8000
und
[2025-05-09T11:09:42.308Z] >>> [apiv2][query] GET https://cloudresourcemanager.googleapis.com/v1/projects/tools-8519-staging [none]
[2025-05-09T11:09:42.526Z] <<< [apiv2][status] GET https://cloudresourcemanager.googleapis.com/v1/projects/tools-8519-staging 200
[2025-05-09T11:09:42.526Z] <<< [apiv2][body] GET https://cloudresourcemanager.googleapis.com/v1/projects/tools-8519-staging ***"projectNumber":"783764124803","projectId":"tools-8519-staging","lifecycleState":"ACTIVE","name":"tools-8519-staging","labels":***"firebase":"enabled","firebase-core":"disabled"***,"createTime":"2025-05-09T10:20:05.549306Z"***
Now using alias staging (tools-8519-staging)

The above shows the ‘Running auto auth’ logs, which is similar to what @joehan observed. At the moment, it’s still difficult to determine what exactly is causing the error. Could y'all share your debug logs to help us further investigate?

Could you also share your .firebaserc so we can check how it’s set up. Please omit project IDs before sharing. The file contents should look something like:

{
  "projects": {
    "default": "PROJECT_ID_PROD",
    "staging": "PROJECT_ID_STAGING"
  }
}

.firebaserc:

{
  "projects": {
    "default": "PROJECT_ID_STAGING",
    "staging": "PROJECT_ID_STAGING",
    "production": "PROJECT_ID_PROD"
  }
}

.gitlab-ci.yml:

...
- export GOOGLE_APPLICATION_CREDENTIALS=$GOOGLE_APPLICATION_CREDENTIALS
- firebase use staging
...

@joehan
Copy link
Contributor
joehan commented May 9, 2025

Ok, I think I found the root cause here - we recently added a check for whether cloudresourcemanager.googleapis.com is enabled before we make calls to it. This check requires the services.get permission (https://cloud.google.com/service-usage/docs/access-control#permissions).

As an immediate workaround, you can gran the Service Usage viewer role to your service account (https://cloud.google.com/service-usage/docs/access-control#serviceusage.serviceUsageViewer). I'll also make a PR shortly to make this enablement check best effort. Apologies for the inconvenience everyone!

@joehan joehan mentioned this issue May 9, 2025
Merged
@github-project-automation github-project-automation bot moved this from Needs Acknowledgment to Done in [Cloud] Extensions + Functions May 9, 2025
@joehan
Copy link
Contributor
joehan commented May 9, 2025

This should be fixed in 14.3.1, which just released.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joehan joehan

Labels
api: core type: bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Accidentally expanded the required permissions for firebase use firebase/firebase-tools
5 participants
@joehan @axelcarl @MaxStaszkiewicz @aalej @thomas-mailmeteor
0