Service Account Permissions for Firebase Deployment

Required Permissions

The service account used for GitHub Actions deployment needs the following IAM roles/permissions:

For Hosting Deployment (Required)

✅ Firebase Hosting Admin or roles/firebasehosting.admin
✅ Firebase Admin or roles/firebase.admin (includes hosting permissions)

For Firestore Rules Deployment (Optional but Recommended)

✅ Firebase Rules Admin or roles/firebaserules.admin
✅ Cloud Datastore User or roles/datastore.user

For Firestore Indexes (Optional)

✅ Cloud Datastore Index Admin or roles/datastore.indexAdmin

Quick Setup

Automated Setup (Recommended)

Use the provided script to automatically grant all required permissions:

bash

cd seedsite
./scripts/setup-service-account-permissions.sh

This script will:

Extract the service account email from ../../_secrets/seed-start-7255a-firebase-adminsdk-eoxeg-d9fb24ee1e.json
Authenticate with gcloud using the service account
Grant all required permissions:
- roles/firebasehosting.admin (hosting deployment)
- roles/firebaserules.admin (Firestore rules deployment)
- roles/datastore.user (Firestore operations)

Manual Setup

Option 1: Use Firebase Admin Role (Simplest)

This gives all necessary permissions:

bash

# Extract service account email from JSON file
SERVICE_ACCOUNT_EMAIL=$(grep -o '"client_email": "[^"]*"' ../../_secrets/seed-start-7255a-firebase-adminsdk-eoxeg-d9fb24ee1e.json | cut -d'"' -f4)
PROJECT_ID="seed-start-7255a"

# Authenticate
gcloud auth activate-service-account --key-file="../../_secrets/seed-start-7255a-firebase-adminsdk-eoxeg-d9fb24ee1e.json"

# Grant Firebase Admin role (includes all Firebase permissions)
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
  --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
  --role="roles/firebase.admin"

Option 2: Minimal Permissions (More Secure)

Grant only what's needed:

bash

# Extract service account email
SERVICE_ACCOUNT_EMAIL=$(grep -o '"client_email": "[^"]*"' ../../_secrets/seed-start-7255a-firebase-adminsdk-eoxeg-d9fb24ee1e.json | cut -d'"' -f4)
PROJECT_ID="seed-start-7255a"

# Authenticate
gcloud auth activate-service-account --key-file="../../_secrets/seed-start-7255a-firebase-adminsdk-eoxeg-d9fb24ee1e.json"

# Hosting (required)
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
  --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
  --role="roles/firebasehosting.admin"

# Firestore Rules (optional - for rules deployment)
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
  --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
  --role="roles/firebaserules.admin"

# Cloud Datastore User (for Firestore operations)
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
  --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
  --role="roles/datastore.user"

Current Workflow Behavior

The GitHub Actions workflows are configured to:

Always deploy hosting - This will succeed if you have hosting permissions
Try to deploy Firestore rules - This will continue even if it fails (won't block deployment)

If rules deployment fails, you can:

Manually deploy rules: firebase deploy --only firestore:rules
Or grant the service account roles/firebaserules.admin permission

Finding Your Service Account

From Local File (Recommended)

bash

# Extract service account email from local JSON file
grep -o '"client_email": "[^"]*"' ../../_secrets/seed-start-7255a-firebase-adminsdk-eoxeg-d9fb24ee1e.json | cut -d'"' -f4

From GitHub Secrets

Go to GitHub repo > Settings > Secrets and variables > Actions
Find DEV_FIREBASE_SERVICE_ACCOUNT or PROD_VITE_PUBLIC_SERVICE_ACCOUNT
Copy the JSON content and find the client_email field
That's your service account email

Verifying Permissions

bash

# Check current permissions
gcloud projects get-iam-policy YOUR_PROJECT_ID \
  --flatten="bindings[].members" \
  --filter="bindings.members:YOUR_SERVICE_ACCOUNT_EMAIL" \
  --format="table(bindings.role)"

Troubleshooting

Error: "The caller does not have permission"

Grant roles/firebaserules.admin for rules deployment
Grant roles/firebasehosting.admin for hosting deployment

Error: "datastore.indexes.create" permission missing

This is only needed if you're deploying Firestore indexes
Grant roles/datastore.indexAdmin if needed
Or remove index deployment from workflow

Hosting works but rules fail

This is expected if rules permissions aren't granted
Hosting will still deploy successfully
Rules can be deployed manually or via Firebase Console

Service Account Permissions for Firebase Deployment ​

Required Permissions ​

For Hosting Deployment (Required) ​

For Firestore Rules Deployment (Optional but Recommended) ​

For Firestore Indexes (Optional) ​

Quick Setup ​

Automated Setup (Recommended) ​

Manual Setup ​

Option 1: Use Firebase Admin Role (Simplest) ​

Option 2: Minimal Permissions (More Secure) ​

Current Workflow Behavior ​

Finding Your Service Account ​

From Local File (Recommended) ​

From GitHub Secrets ​

Verifying Permissions ​

Troubleshooting ​

Error: "The caller does not have permission" ​

Error: "datastore.indexes.create" permission missing ​

Hosting works but rules fail ​

Service Account Permissions for Firebase Deployment

Required Permissions

For Hosting Deployment (Required)

For Firestore Rules Deployment (Optional but Recommended)

For Firestore Indexes (Optional)

Quick Setup

Automated Setup (Recommended)

Manual Setup

Option 1: Use Firebase Admin Role (Simplest)

Option 2: Minimal Permissions (More Secure)

Current Workflow Behavior

Finding Your Service Account

From Local File (Recommended)

From GitHub Secrets

Verifying Permissions

Troubleshooting

Error: "The caller does not have permission"

Error: "datastore.indexes.create" permission missing

Hosting works but rules fail