[REQUIRED] Environment details
- OS: macOS
- Node.js version: v20.15.1
firebase-tools version: 13.11.3
[REQUIRED] Test case
When attempting to deploy Cloud Functions to a staging project in a multi-project setup, the Firebase CLI fails with the following error:
Error: We failed to modify the IAM policy for the project. The functions deployment requires specific roles to be granted to service agents, otherwise the deployment will fail.
i functions: You can either re-run this command as a project owner or manually run the following set of gcloud commands:
i functions: gcloud projects add-iam-policy-binding engage-flow-staging --member=serviceAccount: --role=roles/monitoring.metricWriter
i functions: gcloud projects add-iam-policy-binding engage-flow-staging --member=serviceAccount: --role=roles/cloudtrace.agent
i functions: gcloud projects add-iam-policy-binding engage-flow-staging --member=serviceAccount: --role=roles/logging.logWriter
This error occurs because the Firebase CLI is unable to correctly identify the service account required for deployment, and is instead attempting to modify the IAM policy with an invalid, empty service account.
[REQUIRED] Steps to reproduce
- Create a multi-project setup with a
default and dev alias in .firebaserc.
- Attempt to deploy Cloud Functions to the
dev project using firebase deploy --only functions --project dev.
[REQUIRED] Expected behavior
The Firebase CLI should correctly identify the service account and deploy the functions successfully.
[REQUIRED] Actual behavior
The Firebase CLI fails with an "Invalid service account" error.
Troubleshooting Steps Taken
- Enabled all necessary APIs: We have enabled the
compute.googleapis.com, cloudfunctions.googleapis.com, cloudbuild.googleapis.com, artifactregistry.googleapis.com, cloudscheduler.googleapis.com, run.googleapis.com, eventarc.googleapis.com, pubsub.googleapis.com, storage.googleapis.com, and secretmanager.googleapis.com APIs.
- Manually granted all required IAM roles: We have manually granted the
roles/monitoring.metricWriter, roles/cloudtrace.agent, and roles/logging.logWriter roles to the 315566886877-compute@developer.gserviceaccount.com and service-315566886877@serverless-robot-prod.iam.gserviceaccount.com service accounts.
- Updated
firebase-tools: We have updated firebase-tools to the latest version.
- Corrected the
.firebaserc file: We have corrected the .firebaserc file to properly distinguish between the default and dev projects.
- Attempted to force the use of a specific service account: We have attempted to force the use of a specific service account by setting the
GOOGLE_APPLICATION_CREDENTIALS environment variable.
Despite these efforts, the deployment continues to fail with the same error. This strongly suggests a bug in the Firebase CLI itself.
[REQUIRED] Environment details
firebase-toolsversion: 13.11.3[REQUIRED] Test case
When attempting to deploy Cloud Functions to a staging project in a multi-project setup, the Firebase CLI fails with the following error:
This error occurs because the Firebase CLI is unable to correctly identify the service account required for deployment, and is instead attempting to modify the IAM policy with an invalid, empty service account.
[REQUIRED] Steps to reproduce
defaultanddevalias in.firebaserc.devproject usingfirebase deploy --only functions --project dev.[REQUIRED] Expected behavior
The Firebase CLI should correctly identify the service account and deploy the functions successfully.
[REQUIRED] Actual behavior
The Firebase CLI fails with an "Invalid service account" error.
Troubleshooting Steps Taken
compute.googleapis.com,cloudfunctions.googleapis.com,cloudbuild.googleapis.com,artifactregistry.googleapis.com,cloudscheduler.googleapis.com,run.googleapis.com,eventarc.googleapis.com,pubsub.googleapis.com,storage.googleapis.com, andsecretmanager.googleapis.comAPIs.roles/monitoring.metricWriter,roles/cloudtrace.agent, androles/logging.logWriterroles to the315566886877-compute@developer.gserviceaccount.comandservice-315566886877@serverless-robot-prod.iam.gserviceaccount.comservice accounts.firebase-tools: We have updatedfirebase-toolsto the latest version..firebasercfile: We have corrected the.firebasercfile to properly distinguish between thedefaultanddevprojects.GOOGLE_APPLICATION_CREDENTIALSenvironment variable.Despite these efforts, the deployment continues to fail with the same error. This strongly suggests a bug in the Firebase CLI itself.