Can't run Firebase Test Lab tests using gcloud and service account: 403, does not have storage.objects.create

Question

I am trying to run instrumented tests using the glcoud CLI as a service account in CircleCi. When I run:

gcloud config set project project-name-12345
gcloud auth activate-service-account firebase-testlab-serviceuser@project-name-12345.iam.gserviceaccount.com --key-file ${HOME}/client-secret.json
gcloud firebase test android run --type instrumentation --app debug-app.apk --test debug-test.apk --device model=Nexus6P,version=27,locale=en,orientation=portrait --environment-variables coverage=true,coverageFile=/sdcard/tmp/code-coverage/connected/coverage.ec --directories-to-pull=/sdcard/tmp --timeout 20m

I get:

ERROR: (gcloud.firebase.test.android.run) Could not copy [debug-app.apk] to [gs://test-lab-xxxxxxxx-yyyyyyyy/2018-01-18_17:14:09.964449_zPAw/] ResponseError 403: firebase-testlab-serviceuser@project-name-12345.iam.gserviceaccount.com does not have storage.objects.create access to bucket test-lab-xxxxxxxx-yyyyyyyy..

Using the API Console ( https://console.cloud.google.com/iam-admin/iam/project ) I've given my service user all the permission I can think would be relevant:

• Firebase Crash Symbol Uploader
• Firebase Test Lab Admin
• Storage Admin
• Storage Object Admin
• Storage Object Creator
• Storage Object Viewer
• Firebase Rules System

Any help would be greatly appreciate. Thanks.

Answer 1

You should be able to use a service account created in the Google Cloud Console. Did your service account have the required project Editor role? (as noted in this doc: https://firebase.google.com/docs/test-lab/continuous )

Answer 2

After lots of clicking through the Firebase console and the Google Cloud Console, reading SO, asking for help on Slack, and more trial and error than I care to admit, I discovered that the Firebase console has a service account page:

https://console.firebase.google.com/u/0/project/project-name-12345/settings/serviceaccounts/adminsdk

That is different from the service accounts page in the Google Cloud Console

https://console.cloud.google.com/iam-admin/serviceaccounts/project?project-name-12345

It turns out you want the Firebase service account, you can not create one via the cloud console. Super, super annoying.

Answer 3

The steps I took to create the key is as follow:
1. Firebase Console https://console.firebase.google.com/
2. Project Settings
3. "Service Accounts" tab
4. Inside "Service Accounts" panel, Firebase Admin SDK
5. At the bottom of "Firebase Admin SDK" panel, "Generate new private key"

This is what Etherton answered
https://stackoverflow.com/a/48327579/2353939

Even after that, I still had some errors. So, I added a bunch of roles as follows.

Firebase Test Lab Admin
Firebase Service Management Service Agent
Firebase Admin SDK Administrator Service Agent
Service Account Token Creator
Storage Object Creator

That also didn't fix. So, finally, I applied P. Davis answer by adding Editor role to the service account. https://stackoverflow.com/a/48331465/2353939

Steps to add Editor role is as follows
1. Go to google cloud console https://console.cloud.google.com/iam-admin/iam
2. Go into "IAM"
3. Use "client_email" from the json file downloaded from firebase console to find the service account you need to edit
4. Click the "Edit" icon on the right
5. Scroll down and "Add Another Role"
6. Click the input field and type in "Editor" to search
7. Choose the one with subtitle "Edit access to all resource"
8. Save
9. Now you should be able to use it

Answer 4

This is the list of the roles that I put in to my service account :

1. Firebase - Firebase admin ( I think this is overkill. I might update it later )
2. Project - Editor
3. Storage - Storage Object Creator

It does not matter whether you create the service account from Firebase or google cloud console. As long as you have these roles in your service account then you should be able run the Firebase test lab.

Answer 5

For people who stumble upon this and don't want to use the all powerful Project Editor role, here are the roles I'm using for my service account: Firebase Test Lab Roles

I think the Firebase Analytics Viewer role is not necessary, because it mostly just execute the tests. To view the result we use the developer accounts instead but haven't tried removing it.

Answer 6

We ran into the same permissions issue with storage.objects.create . We have added all the roles that were mentioned here, except for the Editor role which we wanted to avoid, but it still failed. We were using a Service Account and it definitely had the proper permissions.

In the end our workaround was to setup a cloud storage bucket manually and then use it in the --results-bucket argument for gcloud . See the documentation here . That finally fixed it for us.