https://pulumi.com logo
Join Slack
Powered by
Hi! I need some help in setuping Firebase with Pul...
# google-cloud
g
Hi! I need some help in setuping Firebase with Pulumi. It looks like Firebase resources cannot be deployed via normal gcloud authentication. The error message is hinting for using billing/quota_project or service account. Been googling around for this and tried setting quota project explicitly via gcloud but this is not working. I would not want to start using a service account for this if I can avoid it. So, any hints on this would be appreciated! I'm sure this is a solved problem considering Pulumi does have Firebase APIs defined in the first place. The error message I'm getting:
Copy code
Error when reading or editing FirebaseProject "projects/myproject": googleapi: Error 403: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the <http://firebase.googleapis.com|firebase.googleapis.com>. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see <https://cloud.google.com/docs/authentication/>. If you are getting this error with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes. For more information regarding 'X-Goog-User-Project' header, please check <https://cloud.google.com/apis/docs/system-parameters>.
a
Hi Niklas, the easiest and recommended solution here is to use a service account for interactions with the api's - this isn't a issue on the Pulumi side but a restriction in auth scopes on the Google Cloud side (working as intended). One thing you can try - some services just require you to tack on the additional oauth scopes to your gcloud authentication 
gcloud auth application-default login --scopes=<https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/firebase>
may or may not give you what you require.
g
Cheers! Yeah, I have already figured that this is not a Pulumi issue but I was just looking for information how to tackle this problem since there obviously is a way to do that. Otherwise there would be no Firebase module in Pulumi
I appreciate this info, I'll try it out! Just now googling on this problem
a
Well the solution really is to use a service account - then you can use all the functions in pulumi for interacting with FB 🙂
g
Yeah. But that is a weird solution
a
*^ideal solution
g
From google's side
a
In an ideal world, infra stacks are brought up by automation rather than end user accounts which can change
which would be backed by svc accounts
g
Sure. In an ideal world. But not in a team of two 😄
(hopefully this team will grow in the near future but right now)
a
oh believe me it's a pain
but good to set up from the start nice and clean, makes scaling easier
g
I know. But the only thing I can see as a benefit from service account is the fact that then one can push the infrastructure updates into CD
In order to get same level of granularity and security one would have to create a separate service account for every developer
Sharing a joint service account for all devs is just a horrible idea
a
you can use service account impersonation to achieve the transparency https://cloud.google.com/iam/docs/impersonating-service-accounts
oops
g
Right. Guess I'll take a look at that
Sounds a reasonable way to do it
a
give the oauth scopes a try first though - hopefully that gives you what you need!
g
It didn't "gcloud crashed" 😄
It looked promising though
a
ugh i blame python
g
Likewise
Not gonna derail all of this but I still don't understand why python is so popular...
a
i have particular views on this topic which i won't go into in here 🤣
g
I love you already
4 Views
Open in Slack
PreviousNext
Powered by