如何授权 Cloud Build 部署到不同项目中的 Firebase Hosting?
[英]How can I authorize Cloud Build to deploy to Firebase Hosting in a different project?
问题描述
I have GCP project A and Firebase project B (in a separate GCP project).
我有 GCP 项目A和 Firebase 项目B (在单独的 GCP 项目中)。 I'm trying to use Cloud Build in A to build a web app and deploy it to Firebase Hosting in B .我正在尝试使用A中的 Cloud Build 构建一个 web 应用程序并将其部署到B中的 Firebase 托管。
In B 's IAM page, I have granted A 's <id>@cloudbuild.gserviceaccount.com service account the API Keys Admin , Firebase Admin , and Service Account User roles as described in eg this question .在B的 IAM 页面中,我已授予A的<id>@cloudbuild.gserviceaccount.com服务帐户API Keys Admin 、 Firebase Admin和Service Account User角色,如本问题中所述。
The final step in the Cloud Build config used by A is the following: A使用的 Cloud Build 配置中的最后一步如下:
- id: firebase_deploy
name: gcr.io/$PROJECT_ID/firebase
entrypoint: sh
args:
- '-c'
- |
firebase use $_FIREBASE_PROJECT_ID
firebase target:apply hosting prod $_FIREBASE_HOSTING_TARGET
firebase deploy --project=$_FIREBASE_PROJECT_ID --only=hosting,firestore:rules
I set the _FIREBASE_PROJECT_ID substitution variable to B and the _FIREBASE_HOSTING_TARGET variable to a Hosting alias that I use for the site.我将_FIREBASE_PROJECT_ID替换变量设置为B ,将_FIREBASE_HOSTING_TARGET变量设置为我用于站点的托管别名。
When I trigger a build, it fails with the following error:当我触发构建时,它失败并出现以下错误:
...
Step #3 - "firebase_deploy": Error: Invalid project selection, please verify project B exists and you have access.
Step #3 - "firebase_deploy":
Step #3 - "firebase_deploy": Error: Must have an active project to set deploy targets. Try firebase use --add
Step #3 - "firebase_deploy":
Step #3 - "firebase_deploy": Error: Failed to get Firebase project B. Please make sure the project exists and your account has permission to access it.
Finished Step #3 - "firebase_deploy"
I suspect that the problem may be that I'm not running the Firebase CLI's extra login step first.我怀疑问题可能是我没有首先运行 Firebase CLI 的额外登录步骤。 To do that, it seems that I would need to run firebase login:ci locally to generate a token and then pass it via the FIREBASE_TOKEN environment variable as described in the docs , but the permissions associated with the token appear to be much broader than needed:为此,我似乎需要在本地运行firebase login:ci以生成令牌,然后按照文档中所述通过FIREBASE_TOKEN环境变量传递它,但与令牌关联的权限似乎比需要的要广泛得多:
The build process should only have access to Firebase project B , rather than "all my Firebase data and settings" and "my Google Cloud data".构建过程应该只能访问 Firebase 项目B ,而不是“我所有的 Firebase 数据和设置”和“我的谷歌云数据”。
- Is there any way to avoid needing to run
firebase loginhere?有什么办法可以避免在这里运行firebase login吗? It seems like the service account should already have sufficient access to deploy to Firebase Hosting.看起来服务帐户应该已经有足够的访问权限来部署到 Firebase 托管。 - If I need to run
firebase login, is there any way to create a token with a limited scope (assuming that my understanding of the default scope is correct)?如果我需要运行firebase login,有没有办法创建一个限制为 scope 的令牌(假设我对默认 scope 的理解是正确的)?
(I've also given B 's service account the Cloud Functions Developer role in A and am able to successfully run gcloud --project=$_FIREBASE_PROJECT_ID functions deploy... in a different build config. I'm also using a Cloud Build config similar to the one described above to deploy to Firebase Hosting in the same GCP project, so I suspect that firebase login isn't necessary in all cases.) (我还为B的服务帐户授予了A中的Cloud Functions Developer角色,并且能够在不同的构建配置中成功运行gcloud --project=$_FIREBASE_PROJECT_ID functions deploy...我也在使用 Cloud Build配置类似于上述配置以部署到同一 GCP 项目中的 Firebase 托管,因此我怀疑在所有情况下都不需要firebase login 。)
1 个解决方案
解决方案1
1 已采纳 2022-03-31 14:14:29
I found an approach that lets project A 's Cloud Build service account deploy to B without needing excessive permissions.我找到了一种方法,可以让项目A的 Cloud Build 服务帐户部署到B而无需过多的权限。
First, I created a service account named deploy under B and granted it the Firebase Hosting Admin , Firebase Rules Admin , and Cloud Datastore Index Admin roles.首先,我在B下创建了一个名为deploy的服务帐户,并授予它Firebase Hosting Admin 、 Firebase Rules Admin和Cloud Datastore Index Admin角色。 (I'm not sure whether the Datastore role is needed, but the console showed it as being used recently so I left it.) (我不确定是否需要 Datastore 角色,但控制台显示它最近正在使用,所以我离开了它。)
Next, I generated a JSON key for the new service account, pasted it (including newlines and double-quotes) as a substitution variable named _DEPLOY_CREDENTIALS , and updated the build step to copy it to the environment:接下来,我为新服务帐户生成了一个 JSON 密钥,将其粘贴(包括换行符和双引号)作为名为_DEPLOY_CREDENTIALS的替换变量,并更新构建步骤以将其复制到环境中:
- id: firebase_deploy
name: gcr.io/$PROJECT_ID/firebase
entrypoint: bash
args: ['-e', '--', 'build/deploy_hosting.sh']
env:
- DEPLOY_CREDENTIALS=$_DEPLOY_CREDENTIALS
- FIREBASE_PROJECT_ID=$_FIREBASE_PROJECT_ID
- FIREBASE_HOSTING_TARGET=$_FIREBASE_HOSTING_TARGET
In deploy_hosting.sh , I write the credentials to a temporary file and then pass them to the firebase command via the GOOGLE_APPLICATION_CREDENTIALS environment variable:在deploy_hosting.sh中,我将凭据写入一个临时文件,然后通过GOOGLE_APPLICATION_CREDENTIALS环境变量将它们传递给firebase命令:
#!/bin/bash
set -e
CREDS=$(mktemp -t creds.json.XXXXXXXXXX)
printenv DEPLOY_CREDENTIALS >"$CREDS"
export GOOGLE_APPLICATION_CREDENTIALS=$CREDS
firebase --debug use "$FIREBASE_PROJECT_ID"
firebase target:apply hosting prod "$FIREBASE_HOSTING_TARGET"
firebase deploy --project="$FIREBASE_PROJECT_ID" --only=hosting,firestore:rules
I created a separate shell script for the step since I ran into problems with quotes being stripped from the credentials when writing them directly from the build step.我为该步骤创建了一个单独的 shell 脚本,因为我在直接从构建步骤编写时遇到了从凭据中删除引号的问题。 It would likely be possible to store the credentials in Secret Manager instead, but that felt like overkill for my use case.有可能将凭据存储在Secret Manager中,但这对我的用例来说感觉有点过分了。
I'm still curious about whether there's a way to let A 's service account deploy to B without using a service account in B while running the firebase executable.我仍然很好奇是否有办法让A的服务帐户部署到B而无需在运行firebase可执行文件时使用B中的服务帐户。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.