错误:无法加载默认凭据。 上下文:firebase 登录:ci 和 firebase 身份验证:导出
[英]Error: Could not load the default credentials. context: firebase login:ci AND firebase auth:export
问题描述
Disclaimer: There are lots of similar questions mentioning the same error message but I read many and none of them pertained to my context.
免责声明:有很多类似的问题提到了相同的错误消息,但我阅读了很多,但没有一个与我的上下文有关。
I am trying to automate exporting the Firebase Authentication database using the command firebase --debug auth:export .我正在尝试使用命令firebase --debug auth:export自动导出 Firebase 身份验证数据库。 The command executes flawlessly on my local machine.该命令在我的本地机器上完美执行。 But when I try to run it on CI it fails with the following error message:但是当我尝试在 CI 上运行它时,它会失败并显示以下错误消息:
[2021-04-27T20:48:23.188Z] > command requires scopes: ["email","openid","https://www.googleapis.com/auth/cloudplatformprojects.readonly","https://www.googleapis.com/auth/firebase","https://www.googleapis.com/auth/cloud-platform"]
[2021-04-27T20:48:26.208Z] Error: Could not load the default credentials. Browse to https://cloud.google.com/docs/authentication/getting-started for more information.
at GoogleAuth.getApplicationDefaultAsync (/home/node/.npm-global/lib/node_modules/firebase-tools/node_modules/google-auth-library/build/src/auth/googleauth.js:160:19)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
at runNextTicks (internal/process/task_queues.js:66:3)
at listOnTimeout (internal/timers.js:518:9)
at processTimers (internal/timers.js:492:7)
at async GoogleAuth.getClient (/home/node/.npm-global/lib/node_modules/firebase-tools/node_modules/google-auth-library/build/src/auth/googleauth.js:502:17)
at async GoogleAuth.getAccessToken (/home/node/.npm-global/lib/node_modules/firebase-tools/node_modules/google-auth-library/build/src/auth/googleauth.js:524:24)
Error: An unexpected error has occurred.
I am trying to run this command in a Gitlab Scheduled Pipeline using a.gitlab-ci.yml file.我正在尝试使用 .gitlab-ci.yml 文件在Gitlab 计划管道中运行此命令。 For that to work I understand I need to authenticate using the firebase login:ci command.为此,我知道我需要使用firebase login:ci命令进行身份验证。 I did that and I know the token is valid because other firebase commands in my.gitlab-ci.yml work, for instance firebase use and firebase deploy .我这样做了,我知道令牌是有效的,因为 my.gitlab-ci.yml 中的其他firebase命令有效,例如firebase use和firebase deploy 。
Here is a simplified version of my.gitlab-ci.yml:这是 my.gitlab-ci.yml 的简化版本:
stages:
- stg_backups
jb_auth_backup:
stage: stg_backups
image: devillex/docker-firebase
only:
- schedules
script:
- firebase use --token $MY_CI_FIREBASE_DEPLOY_KEY $MY_FIREBASE_PROJECT
- mkdir backups
- firebase --debug auth:export backups/my-auth-backup.json --format=JSON
artifacts:
paths:
- backups
The environment variables are set correctly asGitlab Project variables .环境变量正确设置为Gitlab Project variables 。
I have tried refreshing my firebase authentication token but that didn't work.我尝试刷新我的 firebase 身份验证令牌,但这没有用。 I have tried reading about the error message in posts like the following, but since they talk about Google Cloud Platform service accounts, I am not sure how or if that's related to firebase authentication tokens.我曾尝试阅读以下帖子中的错误消息,但由于他们谈论的是 Google Cloud Platform 服务帐户,我不确定这与 firebase 身份验证令牌有何关系或是否相关。
- Error Error: Could not load the default credentials 错误错误:无法加载默认凭据
- Could not load the default credentials? 无法加载默认凭据? (Node.js Google Compute Engine tutorial) (Node.js 谷歌计算引擎教程)
- Error: Could not load the default credentials (Firebase function to firestore) 错误:无法加载默认凭据(Firebase function 到 Firestore)
I have also analyzed the permissions assigned to the role my Google user has.我还分析了分配给我的 Google 用户所拥有角色的权限。 My Google user has "Owner" in the IAM.我的 Google 用户在 IAM 中有“所有者”。 I found another role in the IAM that seems relevant: "Firebase Authentication Admin".我在 IAM 中找到了另一个似乎相关的角色:“Firebase 身份验证管理员”。 That role has 15 permissions I confirmed "Owner" also has these permissions:该角色有 15 个权限,我确认“所有者”也有这些权限:
- firebase.clients.get firebase.clients.get
- firebase.clients.list firebase.clients.list
- firebase.projects.get firebase.projects.get
- firebaseauth.configs.create firebaseauth.configs.create
- firebaseauth.configs.get firebaseauth.configs.get
- firebaseauth.configs.getHashConfig firebaseauth.configs.getHashConfig
- firebaseauth.configs.update firebaseauth.configs.update
- firebaseauth.users.create firebaseauth.users.create
- firebaseauth.users.createSession firebaseauth.users.createSession
- firebaseauth.users.delete firebaseauth.users.delete
- firebaseauth.users.get firebaseauth.users.get
- firebaseauth.users.sendEmail firebaseauth.users.sendEmail
- firebaseauth.users.update firebaseauth.users.update
- resourcemanager.projects.get资源管理器.projects.get
- resourcemanager.projects.list资源管理器.projects.list
However, the error message says it "requires scopes".但是,错误消息说它“需要范围”。 Are "scopes" and "permissions" different? “范围”和“权限”是否不同? I haven't seen any documentation about "scopes" in the IAM documentation.我在 IAM 文档中没有看到任何关于“范围”的文档。 So I'm not sure if I'm looking at the right documentation.所以我不确定我是否正在查看正确的文档。
Does anyone know how to run firebase --debug auth:export from Gitlab Scheduled Pipeline ?有谁知道如何运行firebase --debug auth:export from Gitlab 计划管道?
1 个解决方案
解决方案1
0 已采纳 2021-04-30 23:46:24
As implied by the Firebase CLI reference section "Use the CLI with CI systems" , the --token <token> should be passed to every firebase command:正如Firebase CLI 参考部分“将 CLI 与 CI 系统一起使用”所暗示的那样, --token <token>传递给每个firebase命令:
Use this token when running firebase commands.
Store the token as the environment variable FIREBASE_TOKEN.
Run all firebase commands with the --token flag in your CI system.
Although --token <token> is passed to the firebase use command in the.gitlab-ci.yml script, it is not being passed to the firebase auth:export command.尽管--token <token>在 .gitlab-ci.yml 脚本中被传递给firebase use命令,但它没有被传递给firebase auth:export命令。 Don't assume that firebase use saves not only the active project selection but also the token.不要以为firebase use不仅保存了活动项目选择,还保存了令牌。 According to firebase help use , its only purpose is to "set an active Firebase project for your working directory".根据firebase help use ,其唯一目的是“为您的工作目录设置一个活动的 Firebase 项目”。 It says nothing about setting an active token.它没有说明设置活动令牌。
I have confirmed the following.gitlab-ci.yml script does, in fact, export the Firebase authentication database successfully:我已经确认以下.gitlab-ci.yml 脚本确实成功导出了Firebase 认证数据库:
stages:
- stg_backups
jb_auth_backup:
stage: stg_backups
image: devillex/docker-firebase
only:
- schedules
script:
- firebase --token $MY_CI_FIREBASE_DEPLOY_KEY use $MY_FIREBASE_PROJECT
- mkdir backups
- firebase --token $MY_CI_FIREBASE_DEPLOY_KEY auth:export backups/my-auth-backup.json --format=JSON
artifacts:
paths:
- backups
Note that the syntax of both the firebase use and firebase auth:export commands have been changed from the original.gitlab-ci.yml.请注意, firebase use和firebase auth:export命令的语法已从 original.gitlab-ci.yml 更改。 They now both put the --token <token> right after the firebase executable command.他们现在都将--token <token>放在firebase可执行命令之后。 This adheres better to the documented syntax according to firebase help .这更符合firebase help中记录的语法。 There it says the correct syntax is firebase [options] [command] where --token is one of the options.那里说正确的语法是firebase [options] [command]其中--token是选项之一。
In fact, it's not even clear whether firebase use --token <my_token> <my_project> even paid any attention to the token since it's after instead of before the use command.事实上,甚至不清楚firebase use --token <my_token> <my_project>甚至没有注意令牌,因为它在use命令之后而不是之前。 It's too bad firebase use --token doesn't just throw an error to let the user know that --token belongs to the [options] for firebase not the [options] for use .太糟糕firebase use --token不只是抛出一个错误让用户知道--token属于[options] for firebase而不是[options] for use 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.