Hi! I need some help in setuping Firebase with Pulumi. It looks like Firebase resources cannot be deployed via normal gcloud authentication. The error message is hinting for using billing/quota_project or service account. Been googling around for this and tried setting quota project explicitly via gcloud but this is not working. I would not want to start using a service account for this if I can avoid it. So, any hints on this would be appreciated! I'm sure this is a solved problem considering Pulumi does have Firebase APIs defined in the first place. The error message I'm getting:

Error when reading or editing FirebaseProject "projects/myproject": googleapi: Error 403: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the <http://firebase.googleapis.com|firebase.googleapis.com>. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see <https://cloud.google.com/docs/authentication/>. If you are getting this error with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes. For more information regarding 'X-Goog-User-Project' header, please check <https://cloud.google.com/apis/docs/system-parameters>.

Hi Niklas, the easiest and recommended solution here is to use a service account for interactions with the api's - this isn't a issue on the Pulumi side but a restriction in auth scopes on the Google Cloud side (working as intended). One thing you can try - some services just require you to tack on the additional oauth scopes to your gcloud authentication

gcloud auth application-default login --scopes=<https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/firebase>

may or may not give you what you require.

Cheers! Yeah, I have already figured that this is not a Pulumi issue but I was just looking for information how to tackle this problem since there obviously is a way to do that. Otherwise there would be no Firebase module in Pulumi

Well the solution really is to use a service account - then you can use all the functions in pulumi for interacting with FB 🙂

Yeah. But that is a weird solution

*^ideal solution

From google's side

In an ideal world, infra stacks are brought up by automation rather than end user accounts which can change

Sure. In an ideal world. But not in a team of two 😄

oh believe me it's a pain

I know. But the only thing I can see as a benefit from service account is the fact that then one can push the infrastructure updates into CD

you can use service account impersonation to achieve the transparency https://cloud.google.com/iam/docs/impersonating-service-accounts

Right. Guess I'll take a look at that

give the oauth scopes a try first though - hopefully that gives you what you need!

It didn't "gcloud crashed" 😄

ugh i blame python

Likewise

i have particular views on this topic which i won't go into in here 🤣

I love you already