403 The caller does not have permission for Firebase Management API addFirebase

Question

I want to add Firebase project through Firebase Management Api. So for that. I made project on Google Cloud Platform console. And created service account with permission as a owner.

I tried to read and create project throw google api explorer for addFirebase and it works. But when i try to do the same through my code it read availableProject successfully and give output as

{ "projectInfo": [ { "project": "projects/firebase-api-238012", "displayName": "Firebase-Api" } ] }

but when i try to add project it give me this error

{ "error": { "code": 403, "message": "The caller does not have permission", "status": "PERMISSION_DENIED" } }

I don't know why its is not creating project. What other permission it needs. And why it allowed to me read available projects first.

here is how i am trying to add my project.

jwt.js

const { google } = require('googleapis');
var serviceAccountJwt = require('./Firebase-Api-b0e41b85ad44.json');

exports.connect = async () => {
return new Promise((resolve, reject) => {

    // scope is based on what is needed in our api
    const scope = ['https://www.googleapis.com/auth/firebase', 'https://www.googleapis.com/auth/cloud-platform'];

    // create our client with the service account JWT
    const { client_email, private_key } = serviceAccountJwt;
    const client = new google.auth.JWT(client_email, null, private_key, scope, null);

    // perform authorization and resolve with the client

    return client.authorize((err) => {
        if (err) { reject(err) }
        else {
            resolve(client)
        };
    });
});

}

index.js file

const { google } = require('googleapis');
const request = require('request');
const { connect } = require('./jwt');
const availableProjects = 'https://firebase.googleapis.com/v1beta1/availableProjects';


async function getAccessToken() {
let client = await connect();
let accessToken = await client.getAccessToken();
let res = await getProjects(accessToken.token)
}

getAccessToken().catch(err => {
console.log(JSON.stringify(err))
})

const bodys = {
"timeZone": "America/Los_Angeles",
"locationId": "asia-south1",
"regionCode": "US"
}

async function getProjects(accesstoken) {

let options = {
url: availableProjects,
headers: {
  'Authorization': 'Bearer ' + accesstoken,
  'Accept': 'application/json',
  'Content-Type': 'application/json'
}
}

return request(options, async function (err, res) {
if (err) {
  console.error(err + " error");
 } else {
  //here it gives successful output
  console.log("response")
  console.log(res.body);
  let bodyJson = JSON.parse(res.body);
  let projectName = bodyJson.projectInfo[0].project;
  console.log(projectName)
  await addProject(accesstoken, projectName)
  return res.body;
 }
 });
 }

async function addProject(accesstoken, projecctID) {

 fbUrl = getAddFBUrl(projecctID);
 let options = {
 url: fbUrl,
  headers: {
  'Authorization': 'Bearer ' + accesstoken,
  'Accept': 'application/json',
  'Content-Type': 'application/json'
  },
  body:JSON.stringify(bodys)
 }

return request.post(options, function (err, res) {
 if (err) {
  console.error(err + " error");
 } else {
//here in response out put as permission denied 403
  console.log("response")
  console.log(res.body);
  console.log(JSON.stringify(res));
  return res.body;
 }

 });
}


function getAddFBUrl(projectId) {
return 'https://firebase.googleapis.com/v1beta1/' + projectId + 
':addFirebase';
}

i found one similar question to this. But it didn't helped me to resolve my issue which is here

AskFirebase

Answer 1

From the Firebase REST reference: Method: projects.addFirebase

To call projects.addFirebase, a member must be an Editor or Owner for the existing GCP Project. Service accounts cannot call projects.addFirebase.

Update:

To call projects.addFirebase, a project member or service account must have the following permissions (the IAM roles of Editor and Owner contain these permissions): firebase.projects.update, resourcemanager.projects.get, serviceusage.services.enable, and serviceusage.services.get.

https://firebase.google.com/docs/projects/api/reference/rest/v1beta1/projects/addFirebase

Answer 2

I'm not sure if my answer will be helpful for author of this question, but this if first two things all should check when facing 403 Error with Google Cloud APIs

0) Check configuration with gcloud

1) As mentioned before the first thing is to check the role of service account. You need Editor/Owner usually.

https://cloud.google.com/iam/docs/understanding-roles

https://console.cloud.google.com/iam-admin

2) The second one is to check if API enabled for project at all.

Also when creating a key check it for correct service account.

Answer 3

For someone who's just get started like me, this thing maybe helpful. When I seted up database, I choose Start in locked mode instead of Start in test mode. Therefore, I can't read or write :((. For beginner, just set everything in test mode. Hope it helpful.

https://i.stack.imgur.com/nVxjk.png

Answer 4

Your problem means that your project is not linked with your firebase account which means you have to login with your firebase account. Than you will have the permission

1. type cd functions in your firebase project directory
2. type firebase login
3. login with the Gmail which is connected with your firebase account

It'll work