使用服务帐户凭据模式的 Firebase 分发 android 应用程序拒绝权限

Question

I'm trying to migrate from Fabric to Firebase since Fabric will not be available beyond March 31, 2020.

I already have done the first steps: adding plugins and dependencies to gradle, adding analytics json file, even crash reporting, and all seems correct because I can see data in the Firebase console (analytics and crashes).

But I'm not so lucky migrating the app distribution system from Beta+Fastlane to Firebase. I'm trying the option " Distribute Android apps to testers using Gradle ". I've already added the plugin and the dependency and it is well added because I can run the gradle task ./gradlew appDistributionUploadMyVariant .

I'm getting the serviceCredentialsFile from the Google Cloud Platform console for the user called firebase-adminsdk (I think this name is given by the Firebase system) for the correct project. The email of the user is something like this firebase-adminsdk-xxx@my_project.iam.gserviceaccount.com , and it is the same as I can see in Firebase console -> Settings -> Service accounts -> Firebase Admin SDK .

I've downloaded the json file with the credentials and gradle can find it because if a put a wrong path-url intentionally for the file it logs a Service credentials file does not exist . The content of this file has the correct values for the client_email and project_id according to what I mentioned some lines above.

But I'm getting a 403 error. I paste some of the info I get if I execute the task ./gradlew appDistributionUploadMyVariant --info (I've hide some private information):

Task ':app:appDistributionUploadMyVariant' is not up-to-date because:
  Task has not declared any outputs despite executing actions.
Found APK at /MyFolder/app/build/outputs/apk/qa/qaType/app-qa-qaType.apk.
Uploading APK to Firebase App Distribution...
Getting appId from output of google services plugin
-------------- REQUEST  --------------
POST https://oauth2.googleapis.com/token
Accept-Encoding: gzip
User-Agent: Google-HTTP-Java-Client/1.28.0 (gzip)
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 808

curl -v --compressed -X POST -H 'Accept-Encoding: gzip' -H 'User-Agent: Google-HTTP-Java-Client/1.28.0 (gzip)' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -d '@-' -- 'https://oauth2.googleapis.com/token' << $$$
Total: 808 bytes
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=eyJhbGciOiJSUzI1N(...)
-------------- RESPONSE --------------
HTTP/1.1 200 OK
Transfer-Encoding: chunked
X-Frame-Options: SAMEORIGIN
Alt-Svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
Cache-Control: private
Server: scaffolding on HTTPServer2
X-Content-Type-Options: nosniff
Content-Encoding: gzip
Vary: Referer
Vary: X-Origin
Vary: Origin
X-XSS-Protection: 0
Date: Fri, 22 Nov 2019 14:47:29 GMT
Content-Type: application/json; charset=utf-8

Total: 207 bytes
{
  "access_token": "access_token_value",
  "expires_in": 3600,
  "token_type": "Bearer"
}
-------------- REQUEST  --------------
GET https://firebaseappdistribution.googleapis.com/v1alpha/apps/appId
Accept-Encoding: gzip
Authorization: <Not Logged>
User-Agent: Firebase App Distro Client/1.2.0
x-app-distro-api-client-id: com.google.firebase
x-app-distro-api-client-type: gradle
x-app-distro-api-client-version: 1.2.0

curl -v --compressed -H 'Accept-Encoding: gzip' -H 'Authorization: <Not Logged>' -H 'User-Agent: Firebase App Distro Client/1.2.0' -H 'x-app-distro-api-client-id: com.google.firebase' -H 'x-app-distro-api-client-type: gradle' -H 'x-app-distro-api-client-version: 1.2.0' -- 'https://firebaseappdistribution.googleapis.com/v1alpha/apps/appId'
-------------- RESPONSE --------------
HTTP/1.1 403 Forbidden
Transfer-Encoding: chunked
X-Frame-Options: SAMEORIGIN
Alt-Svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
Cache-Control: private
Server: ESF
X-Content-Type-Options: nosniff
Content-Encoding: gzip
Vary: Referer
Vary: X-Origin
Vary: Origin
X-XSS-Protection: 0
Date: Fri, 22 Nov 2019 14:47:30 GMT
Content-Type: application/json; charset=UTF-8

Total: 126 bytes
{
  "error": {
    "code": 403,
    "message": "The caller does not have permission",
    "status": "PERMISSION_DENIED"
  }
}

:app:appDistributionUploadMyVariant (Thread[Daemon worker Thread 8,5,main]) completed. Took 1.552 secs.
AAPT2 aapt2-3.4.1-5326820-osx Daemon #0: shutdown

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':app:appDistributionUploadMyVariant'.
> App Distribution failed to fetch app information: [403] The caller does not have permission

I've also tried to pass the appId value from the gradle file with the same result.

Any idea?

Answer 1

Error “[403] The caller does not have permission.” is caused by a permission issue.

Can you try to follow this on how to create service account and where to download the json, to see if it works?

You are also welcome to reach out to firebase support with more info. :)

Answer 2

Please try running

firebase logout

and then login again (or use a token).

I had the same issue and followed all the other steps mentioned above to no success. However when I ran the firebase appdistribution:distribute --debug foo with the debug flag I noticed I was still logged in to another firebase instance, which seemed to cause the problem.

Answer 3

The role for the service account would be: "Firebase App Distribution Admin SDK Service Agent":

Read and write access to Firebase App Distribution with the Admin SDK

or as individual permissions .