0

Disclaimer: There are lots of similar questions mentioning the same error message but I read many and none of them pertained to my context.

I am trying to automate exporting the Firebase Authentication database using the command firebase --debug auth:export. The command executes flawlessly on my local machine. But when I try to run it on CI it fails with the following error message:

[2021-04-27T20:48:23.188Z] > command requires scopes: ["email","openid","https://www.googleapis.com/auth/cloudplatformprojects.readonly","https://www.googleapis.com/auth/firebase","https://www.googleapis.com/auth/cloud-platform"]
[2021-04-27T20:48:26.208Z] Error: Could not load the default credentials. Browse to https://cloud.google.com/docs/authentication/getting-started for more information.
    at GoogleAuth.getApplicationDefaultAsync (/home/node/.npm-global/lib/node_modules/firebase-tools/node_modules/google-auth-library/build/src/auth/googleauth.js:160:19)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at runNextTicks (internal/process/task_queues.js:66:3)
    at listOnTimeout (internal/timers.js:518:9)
    at processTimers (internal/timers.js:492:7)
    at async GoogleAuth.getClient (/home/node/.npm-global/lib/node_modules/firebase-tools/node_modules/google-auth-library/build/src/auth/googleauth.js:502:17)
    at async GoogleAuth.getAccessToken (/home/node/.npm-global/lib/node_modules/firebase-tools/node_modules/google-auth-library/build/src/auth/googleauth.js:524:24)
Error: An unexpected error has occurred.

I am trying to run this command in a Gitlab Scheduled Pipeline using a .gitlab-ci.yml file. For that to work I understand I need to authenticate using the firebase login:ci command. I did that and I know the token is valid because other firebase commands in my .gitlab-ci.yml work, for instance firebase use and firebase deploy.

Here is a simplified version of my .gitlab-ci.yml:

stages:
  - stg_backups

jb_auth_backup:
  stage: stg_backups
  image: devillex/docker-firebase
  only:
    - schedules
  script:
    - firebase use --token $MY_CI_FIREBASE_DEPLOY_KEY $MY_FIREBASE_PROJECT
    - mkdir backups
    - firebase --debug auth:export backups/my-auth-backup.json --format=JSON
  artifacts:
    paths:
      - backups

The environment variables are set correctly as Gitlab Project variables.

I have tried refreshing my firebase authentication token but that didn't work. I have tried reading about the error message in posts like the following, but since they talk about Google Cloud Platform service accounts, I am not sure how or if that's related to firebase authentication tokens.

I have also analyzed the permissions assigned to the role my Google user has. My Google user has "Owner" in the IAM. I found another role in the IAM that seems relevant: "Firebase Authentication Admin". That role has 15 permissions I confirmed "Owner" also has these permissions:

  1. firebase.clients.get
  2. firebase.clients.list
  3. firebase.projects.get
  4. firebaseauth.configs.create
  5. firebaseauth.configs.get
  6. firebaseauth.configs.getHashConfig
  7. firebaseauth.configs.update
  8. firebaseauth.users.create
  9. firebaseauth.users.createSession
  10. firebaseauth.users.delete
  11. firebaseauth.users.get
  12. firebaseauth.users.sendEmail
  13. firebaseauth.users.update
  14. resourcemanager.projects.get
  15. resourcemanager.projects.list

However, the error message says it "requires scopes". Are "scopes" and "permissions" different? I haven't seen any documentation about "scopes" in the IAM documentation. So I'm not sure if I'm looking at the right documentation.

Does anyone know how to run firebase --debug auth:export from Gitlab Scheduled Pipeline?

Michael Osofsky
  • 11,429
  • 16
  • 68
  • 113

1 Answers1

0

As implied by the Firebase CLI reference section "Use the CLI with CI systems", the --token <token> should be passed to every firebase command:

  1. Use this token when running firebase commands. You can use either of the following two options:

    • Store the token as the environment variable FIREBASE_TOKEN. Your system will automatically use the token.

    • Run all firebase commands with the --token flag in your CI system. The order of precedence for token loading is flag, environment variable, desired Firebase project.

Although --token <token> is passed to the firebase use command in the .gitlab-ci.yml script, it is not being passed to the firebase auth:export command. Don't assume that firebase use saves not only the active project selection but also the token. According to firebase help use, its only purpose is to "set an active Firebase project for your working directory". It says nothing about setting an active token.

I have confirmed the following .gitlab-ci.yml script does, in fact, export the Firebase authentication database successfully:

stages:
  - stg_backups

jb_auth_backup:
  stage: stg_backups
  image: devillex/docker-firebase
  only:
    - schedules
  script:
    - firebase --token $MY_CI_FIREBASE_DEPLOY_KEY use $MY_FIREBASE_PROJECT
    - mkdir backups
    - firebase --token $MY_CI_FIREBASE_DEPLOY_KEY auth:export backups/my-auth-backup.json --format=JSON
  artifacts:
    paths:
      - backups

Note that the syntax of both the firebase use and firebase auth:export commands have been changed from the original .gitlab-ci.yml. They now both put the --token <token> right after the firebase executable command. This adheres better to the documented syntax according to firebase help. There it says the correct syntax is firebase [options] [command] where --token is one of the options. 

In fact, it's not even clear whether firebase use --token <my_token> <my_project> even paid any attention to the token since it's after instead of before the use command. It's too bad firebase use --token doesn't just throw an error to let the user know that --token belongs to the [options] for firebase not the [options] for use.

Michael Osofsky
  • 11,429
  • 16
  • 68
  • 113