Open IchordeDionysos opened 1 month ago
We also are affected by this - do we really need to grant the service account
this additional right or is this a bug?
Mentioning @jonathanedey @lahirumaramba @egilmorez as you were involved in the PR that I believe to be the suspect of the (for us) breaking change (in a minor version upgrade) ☺️
Would be nice to get some investigation started on why this is now a requirement 😌
We ran into this issue as well, and to narrow it down, we have issues going from 12.1.1
to 12.2.0
, I think the issue comes from the changes introduced in #2553
In our case, we have a service account that only have firebaseauth.users.get
permissions and it's been working just fine until we tried to update.
We ran into this issue as well, and to narrow it down, we have issues going from
12.1.1
to12.2.0
, I think the issue comes from the changes introduced in #2553In our case, we have a service account that only have
firebaseauth.users.get
permissions and it's been working just fine until we tried to update.
Makes sense, it probably needs additional rights as now the x-goog-user-project
header is sent that previosly wasn't leading to unmentioned (and not needed, from our point of view) required role.
The PR fixes running as person, which requires to specify the project that is used to take the billing (as persons are not billed directly), which requires roles/serviceusage.serviceUsageConsumer
.
TL;DR: The perfect implementation would send that header ONLY if ADC is used with a human account.
Seems like this will probably be fixed in #2466, as they mention that #2553 is only a temp fix that will be thrown away when 2466 lands. (Or at that point the role is required anyway as a breaking change.)
Can we get clarification if the role is indeed required eventually anyway so we can add it right away?
Hey folks, @swftvsn's explanation above is correct! The header x-goog-user-project
should have been added only for ADC with a human account. For now, adding the role roles/serviceusage.serviceUsageConsumer
would be a reasonable compromise as this issue will be correctly addressed in #2466, which will be included in the upcoming major release planned for next month. Thanks!
[REQUIRED] Step 2: Describe your environment
[REQUIRED] Step 3: Describe the problem
Steps to reproduce:
What happened? How can we make the problem occur? This could be a description, log/console output, etc.
When upgrading the package, we suddenly get the following error:
The service account(s) in question have the following roles (which should be sufficient)?
Relevant Code: