Skip to content

tolerate missing IAM permissions when provisioning default compute SA#10806

Open
leoortizz wants to merge 3 commits into
mainfrom
leoortizz_apphostingMissingIam
Open

tolerate missing IAM permissions when provisioning default compute SA#10806
leoortizz wants to merge 3 commits into
mainfrom
leoortizz_apphostingMissingIam

Conversation

@leoortizz

Copy link
Copy Markdown
Member

Description

Fixes #8840.

App Hosting deploys attempt to provision the default compute service account (firebase-app-hosting-compute) on every run — creating it and granting it IAM roles. The error handling only tolerated 409 Already Exists on creation and 400 on the role grant. A least-privilege deploy identity (e.g. a CI service account authenticated via GOOGLE_APPLICATION_CREDENTIALS or Workload Identity Federation) that lacks iam.serviceAccounts.create or resourcemanager.projects.setIamPolicy instead receives a 403, which was rethrown and hard-failed the entire deploy — even though the service account already existed and was fully functional.

This change treats a 403 from either call as a warning-and-continue, so deploys from restricted identities are no longer blocked. When the service account already exists (the common case for these users), the warnings are informational and the deploy proceeds normally.

Scenarios Tested

  • Deployed App Hosting from a service account that lacks iam.serviceAccounts.create and resourcemanager.projects.setIamPolicy, against a project where the compute service account already exists:
    • Before: deploy aborted with Permission 'iam.serviceAccounts.create' denied on resource.
    • After: both permission failures log a warning and the deploy continues past provisioning.
  • Verified the warning also fires for the IAM role-granting 403 (setIamPolicy) when creation permission is present but role-granting permission is not.
  • Added unit tests covering both 403 paths (create and role grant); full backend.spec.ts suite passes.

Sample Commands

deploy

App Hosting deploy provisions the default compute service account on
every
run, creating it and granting it IAM roles. The catch blocks only
ignored 409
(create) and 400 (roles), so a least-privilege deploy identity that
lacks
iam.serviceAccounts.create or resourcemanager.projects.setIamPolicy got
a 403
that was rethrown, hard-failing the deploy even when the service account
already existed and worked.
Treat 403 in both catch blocks as a warning-and-continue so deploys from
restricted identities are no longer blocked.
Fixes #8840
@leoortizz
leoortizz requested review from annajowang and bkendall July 16, 2026 21:08
@leoortizz leoortizz self-assigned this Jul 16, 2026
@leoortizz leoortizz added the api: apphosting Issues related to App Hosting label Jul 16, 2026

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request addresses an issue where App Hosting deployments failed if the deploying account lacked permissions to create or grant roles to the default compute service account. Instead of throwing an error and failing the deployment, the code now catches 403 (Permission Denied) errors during these steps, logs a warning, and continues. Unit tests have been added to verify this behavior, and the CHANGELOG.md has been updated accordingly. There are no review comments, so I have no feedback to provide.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

api: apphosting Issues related to App Hosting

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Firebase apphosting deployment is looking for none existing service account instead of using provided one

2 participants