Permission denied fetching Google Analytics data

[hlongvu]

Unable to get template { Error: [AUTHORIZATION_ERROR]: Permission denied fetching Google Analytics data at FirebaseRemoteConfigError.FirebaseError [as constructor] (/Users/longvu/Works/HDC/firebase/node_modules/firebase-admin/lib/utils/error.js:43:28) at FirebaseRemoteConfigError.PrefixedFirebaseError [as constructor] (/Users/longvu/Works/HDC/firebase/node_modules/firebase-admin/lib/utils/error.js:89:28) at new FirebaseRemoteConfigError (/Users/longvu/Works/HDC/firebase/node_modules/firebase-admin/lib/remote-config/remote-config-api-client-internal.js:403:23) at RemoteConfigApiClient.toFirebaseError (/Users/longvu/Works/HDC/firebase/node_modules/firebase-admin/lib/remote-config/remote-config-api-client-internal.js:242:16) at /Users/longvu/Works/HDC/firebase/node_modules/firebase-admin/lib/remote-config/remote-config-api-client-internal.js:87:25 at process._tickCallback (internal/process/next_tick.js:68:7) errorInfo: { code: 'remote-config/permission-denied', message: '[AUTHORIZATION_ERROR]: Permission denied fetching Google Analytics data' }, codePrefix: 'remote-config' }

I run the sample code and encountered this error! Searching in google does not provide any result, look like a new error from the sdk.

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[lahirumaramba]

Hi @hlongvu! Thank you for reporting this issue. I am sorry for the trouble, and let me try and help you resolve this.

Do you encounter this error only for getTemplate operations? To better understand the problem, could you please provide a code sample you used to reproduce this error?

We have seen a similar error before with the rollback operation if your Firebase project has Google Analytics enabled. Could you try adding the role Firebase Analytics Viewer to the Service Account of your project?

On the Firebase Console, if you navigate to Settings -> Service accounts you will see a link to Manage service account permissions. Clicking this link will take you to Google Cloud Console where you can add the role Firebase Analytics Viewer to that Service Account.

[hlongvu]

Thanks @lahirumaramba, adding Firebase Analytics Viewer permission resolved this issue.

[amirrezvanibc]

@lahirumaramba I'm having the same issue but seems like I cannot see "Firebase Analytics Viewer" role over in Google Cloud console. This is what I do: in Google Cloud Console >> Service Accounts >> Permissions >> Grant Access, then in Roles section I search for Firebase Analytics Viewer, nothing shows up there. Appreciate any help

[lahirumaramba]

Hi @amirrezvanibc! You are right! It looks like the role does not show up in Service Accounts >> Permissions.

Could you check in IAM >> Permissions instead? You should be able to edit the Firebase service account from there and add a new role for Firebase Analytics Viewer. Let me know if that doesn't work.

[amirrezvanibc]

thanks @lahirumaramba, it worked from IAM >> permissions

[robinryf]

I just had this while trying to access RemoteConfig via the Admin SDK. My access worked for weeks already. But a few hours ago I configured a new RemoteConfig Entry that uses Google Analytics data. After I created the entry I could not access the RemoteConfig via the Admin SDK anymore because of this 403 error.

Adding the permission fixed the problem like so many above.

But IMO this is not a great solution. The "Firebase Analytics Viewer" role should be added to new service accounts created via Firebase. Is there already a bug created for this?

I see this as quite major because imagine this scenario:

You have a well running app and your backend is using the Admin SDK. Now somebody with access to the Firebase Dashboards adds a RemoteConfig Entry that triggers the Admin SDK to require the "Firebase Analytics Viewer" permission. Without changing any code you broke one part of your backend/admin service. To be fair you can also fix the problem without changing any code.

[danasilver]

Hi @robinryf, thanks for reporting the issue and I'm glad you were able to get it resolved by adding permissions in the console. We're tracking the issue internally, and reports like this help add clarity. Thanks!

[dhruvmehtad11]

Hi anyone please help me. I am still getting this issue even after me being the owner of the project. I have also added analytics viewer permission

[dhruvmehtad11]

@lahirumaramba please help me with the issue. I have firebase admin sdk version 8.1.0. I have tried the above solutions but not able to find any success in it.

[lahirumaramba]

Hi @dhruvmehtad11 could you confirm you have added the role Firebase Analytics Viewer to the Service Account you are using? See: https://github.com/firebase/firebase-admin-node/issues/1015#issuecomment-760511489

[pedropedruzzi]

Got the same issue right after adding a remote config condition based on "User Audience(s)". The remote config client worked fine. But the Admin API started failing. Adding the Firebase Analytics Viewer role to the firebase-adminsdk princial in IAM stopped the issue immediately. I don't recall if I had to create that role manually. But it seems like a Firebase bug to not have this handled

[yaohuiwu]

Hi @amirrezvanibc! You are right! It looks like the role does not show up in Service Accounts >> Permissions.

Could you check in IAM >> Permissions instead? You should be able to edit the Firebase service account from there and add a new role for Firebase Analytics Viewer. Let me know if that doesn't work.

Thanks for the information. It helps me a lot! But it's a little weired that Service Accounts >> Permissions has no Firebase Analytics Viewer role. At least they should add a description there to say "You can edit principal roles in IAM > Permissions".