[英]Error: Could not load the default credentials. context: firebase login:ci AND firebase auth:export
Disclaimer: There are lots of similar questions mentioning the same error message but I read many and none of them pertained to my context.免责声明:有很多类似的问题提到了相同的错误消息,但我阅读了很多,但没有一个与我的上下文有关。
I am trying to automate exporting the Firebase Authentication database using the command firebase --debug auth:export
.我正在尝试使用命令
firebase --debug auth:export
自动导出 Firebase 身份验证数据库。 The command executes flawlessly on my local machine.该命令在我的本地机器上完美执行。 But when I try to run it on CI it fails with the following error message:
但是当我尝试在 CI 上运行它时,它会失败并显示以下错误消息:
[2021-04-27T20:48:23.188Z] > command requires scopes: ["email","openid","https://www.googleapis.com/auth/cloudplatformprojects.readonly","https://www.googleapis.com/auth/firebase","https://www.googleapis.com/auth/cloud-platform"]
[2021-04-27T20:48:26.208Z] Error: Could not load the default credentials. Browse to https://cloud.google.com/docs/authentication/getting-started for more information.
at GoogleAuth.getApplicationDefaultAsync (/home/node/.npm-global/lib/node_modules/firebase-tools/node_modules/google-auth-library/build/src/auth/googleauth.js:160:19)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
at runNextTicks (internal/process/task_queues.js:66:3)
at listOnTimeout (internal/timers.js:518:9)
at processTimers (internal/timers.js:492:7)
at async GoogleAuth.getClient (/home/node/.npm-global/lib/node_modules/firebase-tools/node_modules/google-auth-library/build/src/auth/googleauth.js:502:17)
at async GoogleAuth.getAccessToken (/home/node/.npm-global/lib/node_modules/firebase-tools/node_modules/google-auth-library/build/src/auth/googleauth.js:524:24)
Error: An unexpected error has occurred.
I am trying to run this command in a Gitlab Scheduled Pipeline using a.gitlab-ci.yml file.我正在尝试使用 .gitlab-ci.yml 文件在Gitlab 计划管道中运行此命令。 For that to work I understand I need to authenticate using the
firebase login:ci
command.为此,我知道我需要使用
firebase login:ci
命令进行身份验证。 I did that and I know the token is valid because other firebase
commands in my.gitlab-ci.yml work, for instance firebase use
and firebase deploy
.我这样做了,我知道令牌是有效的,因为 my.gitlab-ci.yml 中的其他
firebase
命令有效,例如firebase use
和firebase deploy
。
Here is a simplified version of my.gitlab-ci.yml:这是 my.gitlab-ci.yml 的简化版本:
stages:
- stg_backups
jb_auth_backup:
stage: stg_backups
image: devillex/docker-firebase
only:
- schedules
script:
- firebase use --token $MY_CI_FIREBASE_DEPLOY_KEY $MY_FIREBASE_PROJECT
- mkdir backups
- firebase --debug auth:export backups/my-auth-backup.json --format=JSON
artifacts:
paths:
- backups
The environment variables are set correctly asGitlab Project variables .环境变量正确设置为Gitlab Project variables 。
I have tried refreshing my firebase authentication token but that didn't work.我尝试刷新我的 firebase 身份验证令牌,但这没有用。 I have tried reading about the error message in posts like the following, but since they talk about Google Cloud Platform service accounts, I am not sure how or if that's related to firebase authentication tokens.
我曾尝试阅读以下帖子中的错误消息,但由于他们谈论的是 Google Cloud Platform 服务帐户,我不确定这与 firebase 身份验证令牌有何关系或是否相关。
I have also analyzed the permissions assigned to the role my Google user has.我还分析了分配给我的 Google 用户所拥有角色的权限。 My Google user has "Owner" in the IAM.
我的 Google 用户在 IAM 中有“所有者”。 I found another role in the IAM that seems relevant: "Firebase Authentication Admin".
我在 IAM 中找到了另一个似乎相关的角色:“Firebase 身份验证管理员”。 That role has 15 permissions I confirmed "Owner" also has these permissions:
该角色有 15 个权限,我确认“所有者”也有这些权限:
However, the error message says it "requires scopes".但是,错误消息说它“需要范围”。 Are "scopes" and "permissions" different?
“范围”和“权限”是否不同? I haven't seen any documentation about "scopes" in the IAM documentation.
我在 IAM 文档中没有看到任何关于“范围”的文档。 So I'm not sure if I'm looking at the right documentation.
所以我不确定我是否正在查看正确的文档。
Does anyone know how to run firebase --debug auth:export
from Gitlab Scheduled Pipeline ?有谁知道如何运行
firebase --debug auth:export
from Gitlab 计划管道?
As implied by the Firebase CLI reference section "Use the CLI with CI systems" , the --token <token>
should be passed to every firebase
command:正如Firebase CLI 参考部分“将 CLI 与 CI 系统一起使用”所暗示的那样,
--token <token>
传递给每个firebase
命令:
Use this token when running firebase commands.
运行 firebase 命令时使用此令牌。 You can use either of the following two options:
您可以使用以下两个选项之一:
Store the token as the environment variable FIREBASE_TOKEN.
将令牌存储为环境变量 FIREBASE_TOKEN。 Your system will automatically use the token.
您的系统将自动使用该令牌。
Run all firebase commands with the --token flag in your CI system.
在 CI 系统中运行所有带有 --token 标志的 firebase 命令。 The order of precedence for token loading is flag, environment variable, desired Firebase project.
令牌加载的优先顺序是标志、环境变量、所需的 Firebase 项目。
Although --token <token>
is passed to the firebase use
command in the.gitlab-ci.yml script, it is not being passed to the firebase auth:export
command.尽管
--token <token>
在 .gitlab-ci.yml 脚本中被传递给firebase use
命令,但它没有被传递给firebase auth:export
命令。 Don't assume that firebase use
saves not only the active project selection but also the token.不要以为
firebase use
不仅保存了活动项目选择,还保存了令牌。 According to firebase help use
, its only purpose is to "set an active Firebase project for your working directory".根据
firebase help use
,其唯一目的是“为您的工作目录设置一个活动的 Firebase 项目”。 It says nothing about setting an active token.它没有说明设置活动令牌。
I have confirmed the following.gitlab-ci.yml script does, in fact, export the Firebase authentication database successfully:我已经确认以下.gitlab-ci.yml 脚本确实成功导出了Firebase 认证数据库:
stages:
- stg_backups
jb_auth_backup:
stage: stg_backups
image: devillex/docker-firebase
only:
- schedules
script:
- firebase --token $MY_CI_FIREBASE_DEPLOY_KEY use $MY_FIREBASE_PROJECT
- mkdir backups
- firebase --token $MY_CI_FIREBASE_DEPLOY_KEY auth:export backups/my-auth-backup.json --format=JSON
artifacts:
paths:
- backups
Note that the syntax of both the firebase use
and firebase auth:export
commands have been changed from the original.gitlab-ci.yml.请注意,
firebase use
和firebase auth:export
命令的语法已从 original.gitlab-ci.yml 更改。 They now both put the --token <token>
right after the firebase
executable command.他们现在都将
--token <token>
放在firebase
可执行命令之后。 This adheres better to the documented syntax according to firebase help
.这更符合
firebase help
中记录的语法。 There it says the correct syntax is firebase [options] [command]
where --token
is one of the options.那里说正确的语法是
firebase [options] [command]
其中--token
是选项之一。
In fact, it's not even clear whether firebase use --token <my_token> <my_project>
even paid any attention to the token since it's after instead of before the use
command.事实上,甚至不清楚
firebase use --token <my_token> <my_project>
甚至没有注意令牌,因为它在use
命令之后而不是之前。 It's too bad firebase use --token
doesn't just throw an error to let the user know that --token
belongs to the [options]
for firebase
not the [options]
for use
.太糟糕
firebase use --token
不只是抛出一个错误让用户知道--token
属于[options]
for firebase
而不是[options]
for use
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.