Upgrading firebase-admin requires additional serviceUsageConsumer permissions

[IchordeDionysos]

[REQUIRED] Step 2: Describe your environment

• Operating System version: Cloud Functions
• Firebase SDK version: 12.3.0 (upgrading from 12.1.1)
• Firebase Product: auth
• Node.js version: 20
• NPM version: _____

[REQUIRED] Step 3: Describe the problem

Steps to reproduce:

What happened? How can we make the problem occur? This could be a description, log/console output, etc.

When upgrading the package, we suddenly get the following error:

Error: //console.developers.google.com/iam-admin/iam/project?project=some-project and then retry. Propagation of the new permission may take a few minutes. Raw server response: "{"error":{"code":403,"message":"Caller does not have required permission to use project some-project. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=some-project and then retry. Propagation of the new permission may take a few minutes.","errors":[{"message":"Caller does not have required permission to use project some-project. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=some-project and then retry. Propagation of the new permission may take a few minutes.","domain":"global","reason":"forbidden"}],"status":"PERMISSION_DENIED","details":[{"@type":"type.googleapis.com/google.rpc.Help","links":[{"description":"Google developer console IAM admin","url":"https://console.developers.google.com/iam-admin/iam/project?project=some-project"}]},{"@type":"type.googleapis.com/google.rpc.ErrorInfo","reason":"USER_PROJECT_DENIED","domain":"googleapis.com","metadata":{"consumer":"projects/simpleclub-stage","service":"identitytoolkit.googleapis.com"}}]}}"
    at FirebaseAuthError.fromServerError (/workspace/node_modules/firebase-admin/lib/utils/error.js:148:16)
    at /workspace/node_modules/firebase-admin/lib/auth/auth-api-request.js:1628:49
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    ...

The service account(s) in question have the following roles (which should be sufficient)?

• Firebase Authentication Viewer

Relevant Code:

await auth.verifyIdToken(idToken); // this is successful
const user = await auth.getUser(userId); // this is not and fails

[swftvsn]

We also are affected by this - do we really need to grant the service account this additional right or is this a bug?

[IchordeDionysos]

Mentioning @jonathanedey @lahirumaramba @egilmorez as you were involved in the PR that I believe to be the suspect of the (for us) breaking change (in a minor version upgrade) ☺️

Would be nice to get some investigation started on why this is now a requirement 😌

[nfanta]

We ran into this issue as well, and to narrow it down, we have issues going from 12.1.1 to 12.2.0, I think the issue comes from the changes introduced in #2553

In our case, we have a service account that only have firebaseauth.users.get permissions and it's been working just fine until we tried to update.

[swftvsn]

We ran into this issue as well, and to narrow it down, we have issues going from 12.1.1 to 12.2.0, I think the issue comes from the changes introduced in #2553

In our case, we have a service account that only have firebaseauth.users.get permissions and it's been working just fine until we tried to update.

Makes sense, it probably needs additional rights as now the x-goog-user-project header is sent that previosly wasn't leading to unmentioned (and not needed, from our point of view) required role.

The PR fixes running as person, which requires to specify the project that is used to take the billing (as persons are not billed directly), which requires roles/serviceusage.serviceUsageConsumer.

TL;DR: The perfect implementation would send that header ONLY if ADC is used with a human account.

Seems like this will probably be fixed in #2466, as they mention that #2553 is only a temp fix that will be thrown away when 2466 lands. (Or at that point the role is required anyway as a breaking change.)

Can we get clarification if the role is indeed required eventually anyway so we can add it right away?

[lahirumaramba]

Hey folks, @swftvsn's explanation above is correct! The header x-goog-user-project should have been added only for ADC with a human account. For now, adding the role roles/serviceusage.serviceUsageConsumer would be a reasonable compromise as this issue will be correctly addressed in #2466, which will be included in the upcoming major release planned for next month. Thanks!