firebase functions:config:get HTTP Error: 403, Permission denied to get service [runtimeconfig.googleapis.com]

[rendomnet]

[REQUIRED] Environment info

11.17.0

firebase-tools:

Windows, Mac

Platform:

[REQUIRED] Test case

firebase functions:config:get | ac .runtimeconfig.json

[REQUIRED] Steps to reproduce

firebase functions:config:get | ac .runtimeconfig.json

[REQUIRED] Expected behavior

runtimeconfig updated

[REQUIRED] Actual behavior

HTTP Error: 403, Permission denied to get service [runtimeconfig.googleapis.com]

[bkendall]

Hi @rendomnet - could you provide the --debug logs? It sounds like however you've authorized the CLI doesn't have permissions to do something (maybe check that the service is enabled) - the debug logs will confirm.

[mothman11]

Hey, I'm also getting a similar "403, Permission denied" error, when I tried to do a 'firebase deploy --only extensions' command
This worked fine before and started after recently upgrading firebase-tools, I downgraded back to 11.16 and it's working again

[google-oss-bot]

Hey @rendomnet. We need more information to resolve this issue but there hasn't been an update in 7 weekdays. I'm marking the issue as stale and if there are no new updates in the next 3 days I will close it automatically.

If you have more information that will help us get to the bottom of this, just add a comment!

[rendomnet]

@bkendall

[2023-01-19T10:40:04.197Z] > command requires scopes: ["email","openid","https://www.googleapis.com/auth/cloudplatformprojects.readonly","https://www.googleapis.com/auth/firebase","https://www.googleapis.com/auth/cloud-platform"]
[2023-01-19T10:40:04.198Z] > authorizing via signed-in user ([email protected])
[2023-01-19T10:40:04.198Z] [iam] checking project staging for permissions ["firebase.projects.get","runtimeconfig.configs.get","runtimeconfig.configs.list","runtimeconfig.variables.get","runtimeconfig.variables.list"]
[2023-01-19T10:40:04.200Z] >>> [apiv2][query] POST https://cloudresourcemanager.googleapis.com/v1/projects/staging:testIamPermissions [none]
[2023-01-19T10:40:04.200Z] >>> [apiv2][(partial)header] POST https://cloudresourcemanager.googleapis.com/v1/projects/staging:testIamPermissions x-goog-quota-user=projects/staging
[2023-01-19T10:40:04.201Z] >>> [apiv2][body] POST https://cloudresourcemanager.googleapis.com/v1/projects/staging:testIamPermissions {"permissions":["firebase.projects.get","runtimeconfig.configs.get","runtimeconfig.configs.list","runtimeconfig.variables.get","runtimeconfig.variables.list"]}
[2023-01-19T10:40:05.445Z] <<< [apiv2][status] POST https://cloudresourcemanager.googleapis.com/v1/projects/staging:testIamPermissions 200
[2023-01-19T10:40:05.446Z] <<< [apiv2][body] POST https://cloudresourcemanager.googleapis.com/v1/projects/staging:testIamPermissions {}
[2023-01-19T10:40:05.446Z] [iam] error while checking permissions, command may fail: FirebaseError: Authorization failed. This account is missing the following required permissions on project staging:

  firebase.projects.get
  runtimeconfig.configs.get
  runtimeconfig.configs.list
  runtimeconfig.variables.get
  runtimeconfig.variables.list
[2023-01-19T10:40:05.447Z] >>> [apiv2][query] GET https://serviceusage.googleapis.com/v1/projects/staging/services/runtimeconfig.googleapis.com [none]
[2023-01-19T10:40:05.447Z] >>> [apiv2][(partial)header] GET https://serviceusage.googleapis.com/v1/projects/staging/services/runtimeconfig.googleapis.com x-goog-quota-user=projects/staging
[2023-01-19T10:40:06.755Z] <<< [apiv2][status] GET https://serviceusage.googleapis.com/v1/projects/staging/services/runtimeconfig.googleapis.com 403
[2023-01-19T10:40:06.755Z] <<< [apiv2][body] GET https://serviceusage.googleapis.com/v1/projects/staging/services/runtimeconfig.googleapis.com [omitted]

Error: HTTP Error: 403, Permission denied to get service [runtimeconfig.googleapis.com]
Help Token: TOKEN
[2023-01-19T10:40:06.757Z] Error Context: {
  "body": {
    "error": {
      "code": 403,
      "message": "Permission denied to get service [runtimeconfig.googleapis.com]\nHelp Token: TOKEN",
      "status": "PERMISSION_DENIED",
      "details": [
        {
          "@type": "type.googleapis.com/google.rpc.PreconditionFailure",
          "violations": [
            {
              "type": "googleapis.com",
              "subject": "?error_code=110002&service=serviceusage.googleapis.com&permission=serviceusage.services.get&resource=projects/staging"
            }
          ]
        },
        {
          "@type": "type.googleapis.com/google.rpc.ErrorInfo",
          "reason": "AUTH_PERMISSION_DENIED",
          "domain": "serviceusage.googleapis.com",
          "metadata": {
            "service": "serviceusage.googleapis.com",
            "permission": "serviceusage.services.get",
            "resource": "projects/staging"
          }
        }
      ]
    }
  },
  "response": {
    "statusCode": 403
  }
}

[rendomnet]

also firebase --debug auth:export users.json --format=json

[2023-01-19T10:44:50.059Z] >>> [apiv2][body] POST https://cloudresourcemanager.googleapis.com/v1/projects/staging:testIamPermissions {"permissions":["firebase.projects.get","firebaseauth.users.get"]}
[2023-01-19T10:44:51.243Z] <<< [apiv2][status] POST https://cloudresourcemanager.googleapis.com/v1/projects/staging:testIamPermissions 200
[2023-01-19T10:44:51.243Z] <<< [apiv2][body] POST https://cloudresourcemanager.googleapis.com/v1/projects/staging:testIamPermissions {}
[2023-01-19T10:44:51.244Z] [iam] error while checking permissions, command may fail: FirebaseError: Authorization failed. This account is missing the following required permissions on project staging:

  firebase.projects.get
  firebaseauth.users.get
Exporting accounts to users.json
[2023-01-19T10:44:51.245Z] >>> [apiv2][query] POST https://www.googleapis.com/identitytoolkit/v3/relyingparty/downloadAccount [none]
[2023-01-19T10:44:51.245Z] >>> [apiv2][body] POST https://www.googleapis.com/identitytoolkit/v3/relyingparty/downloadAccount {"targetProjectId":"staging","maxResults":1000}
[2023-01-19T10:44:51.749Z] <<< [apiv2][status] POST https://www.googleapis.com/identitytoolkit/v3/relyingparty/downloadAccount 400
[2023-01-19T10:44:51.749Z] <<< [apiv2][body] POST https://www.googleapis.com/identitytoolkit/v3/relyingparty/downloadAccount [omitted]

Error: HTTP Error: 400, INSUFFICIENT_PERMISSION
[2023-01-19T10:44:51.752Z] Error Context: {
  "body": {
    "error": {
      "code": 400,
      "message": "INSUFFICIENT_PERMISSION",
      "errors": [
        {
          "message": "INSUFFICIENT_PERMISSION",
          "domain": "global",
          "reason": "invalid"
        }
      ]
    }
  },
  "response": {
    "statusCode": 400
  }
}

[taeold]

Sorry I'm asking the obvious question but can you double check to that the account you are using to access these services (i.e. what you firebase login-ed as) have permissions to access them (https://console.cloud.google.com/iam-admin might be a good starting point to look).

[rendomnet]

@taeold my account have this roles: Editor, Owner

[taeold]

@rendomnet Sorry that I can't be more helpful here, but based on the debug log you shared, the issue seems to be that the account that is being used to make the call to GCP API doesn't have permission.

I do notice something odd in your debug - it's saying that you are trying to make request to https://cloudresourcemanager.googleapis.com/v1/projects/staging:testIamPermissions. Is staging name of the GCP/Firebase project? That's a pretty rare name of a project to have, and I wonder if you setup your alias incorrectly.

I'd try running firebase use [YOUR PROJECT NAME] before trying the commands again.

[mothman11]

I'm having a very similar issue - and I also have the correct permissions. Downgrading back to 11.16 made it work fine for me.
Seems like something else is going on here

[taeold]

@mothman11 Do you mind sharing your error log?

[google-oss-bot]

Hey @rendomnet. We need more information to resolve this issue but there hasn't been an update in 7 weekdays. I'm marking the issue as stale and if there are no new updates in the next 3 days I will close it automatically.

If you have more information that will help us get to the bottom of this, just add a comment!

[khevamann]

Same issue here, it was because I was using the wrong alias name for the -P command

[ssxjuan]

error: Permission denied to get service [artifactregistry.googleapis.com]

solution: go to your https://console.cloud.google.com/iam-admin/ and in your project search for the github-action serviceaccount ([email protected]?).
Then set the permission: Artifact Registry Admin.

[google-oss-bot]

Hey @rendomnet. We need more information to resolve this issue but there hasn't been an update in 7 weekdays. I'm marking the issue as stale and if there are no new updates in the next 3 days I will close it automatically.

If you have more information that will help us get to the bottom of this, just add a comment!

[barisx]

I have same problem. After getting owner permission it resolved with latest version.

firebase --version
11.23.1

[google-oss-bot]

Hey @rendomnet. We need more information to resolve this issue but there hasn't been an update in 7 weekdays. I'm marking the issue as stale and if there are no new updates in the next 3 days I will close it automatically.

If you have more information that will help us get to the bottom of this, just add a comment!

[google-oss-bot]

Since there haven't been any recent updates here, I am going to close this issue.

@rendomnet if you're still experiencing this problem and want to continue the discussion just leave a comment here and we are happy to re-open this.

[Gianluska]

same problem here

[rlunden]

Had the same issue but managed to solve it by adding the role Cloud RuntimeConfig Admin to the service account.

[cloudatlas9]

Adding the permission Artifact Registry Administrator to the extension's service account as pointed out by @ssxjuan worked for me for 403 - Unable to retrieve the repository metadata for...

I think this is new though, the last time I've been deploying an extension manifest to a new project a few weeks ago I didn't have to do this.

[ottob]

I ran into this issue today (I tried both v12.4.6 and v12.3.0).

It fails when I use a project name shortcut like:
firebase functions:config:get -P dev

But it works if I specify the complete project name instead:
firebase functions:config:get -P something-dev

I have not changed our .firebaserc file. This has worked before.

{
  "projects": {
    "dev": "something-dev",
  },

[VVIERV00]

I ran into this issue today (I tried both v12.4.6 and v12.3.0).

It fails when I use a project name shortcut like: firebase functions:config:get -P dev

But it works if I specify the complete project name instead: firebase functions:config:get -P something-dev

I have not changed our .firebaserc file. This has worked before.

{
  "projects": {
    "dev": "something-dev",
  },

Thanks! it worked for me. I have been using Firebase CLI witouth problems until now. I found the cause:
we need to use firebase use something-dev and the problem goes away (or simply use your workarround)