Add Service Usage Consumer role to GitHub Actions service account

CHANGELOG.md

@@ -1 +1,2 @@
+- Fixes issue where GitHub actions service account cannot add preview URLs to Auth authorized domains (#6895)
 - Release Firestore Emulator 1.19.4. This version fixes a minor bug with reserve ids and adds a `reset` endpoint for Datastore Mode.

src/gcp/resourceManager.ts

@@ -14,11 +14,12 @@
   functionsDeveloper: "roles/cloudfunctions.developer",
   hostingAdmin: "roles/firebasehosting.admin",
   runViewer: "roles/run.viewer",
+  serviceUsageConsumer: "roles/serviceusage.serviceUsageConsumer",
 };
 
 /**
  * Fetches the IAM Policy of a project.
  * https://cloud.google.com/resource-manager/reference/rest/v1/projects/getIamPolicy
  *
  * @param projectIdOrNumber the id of the project whose IAM Policy you want to get
  */
@@ -31,7 +32,7 @@
 
 /**
  * Sets the IAM Policy of a project.
  * https://cloud.google.com/resource-manager/reference/rest/v1/projects/setIamPolicy
  *
  * @param projectIdOrNumber the id of the project for which you want to set a new IAM Policy
  * @param newPolicy the new IAM policy for the project
@@ -53,7 +54,7 @@
 }
 
 /**
  * Update the IAM Policy of a project to include a service account in a role.
  *
  * @param projectId the id of the project whose IAM Policy you want to set
  * @param serviceAccountName the name of the service account
@@ -75,7 +76,7 @@
   // The way the service account name is formatted in the Policy object
   // https://cloud.google.com/iam/docs/reference/rest/v1/Policy
   // serviceAccount:my-project-id@appspot.gserviceaccount.com
   const newMemberName = `serviceAccount:${fullServiceAccountName.split("/").pop()}`;
 
   roles.forEach((roleName) => {
     let bindingIndex = findIndex(
@@ -103,7 +104,7 @@
   return setIamPolicy(projectId, projectPolicy, "bindings");
 }
 
 export async function serviceAccountHasRoles(
   projectId: string,
   serviceAccountName: string,
   roles: string[],
@@ -119,7 +120,7 @@
   // The way the service account name is formatted in the Policy object
   // https://cloud.google.com/iam/docs/reference/rest/v1/Policy
   // serviceAccount:my-project-id@appspot.gserviceaccount.com
   const memberName = `serviceAccount:${fullServiceAccountName.split("/").pop()}`;
 
   for (const roleName of roles) {
     const binding = projectPolicy.bindings.find((b: Binding) => b.role === roleName);

src/init/features/hosting/github.ts

@@ -47,10 +47,10 @@
  * - Writes GitHub workflow yaml configuration files that reference the newly created secret
  *   to configure the Deploy to Firebase Hosting GitHub Action
  *     - https://github.com/marketplace/actions/deploy-to-firebase-hosting
  *     - https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions
  *
  * @param setup A helper object provided by the `firebase init` command.
  * @param config Configuration for the project.
  * @param options Command line options.
  */
 export async function initGitHub(setup: Setup): Promise<void> {
@@ -83,10 +83,10 @@
 
   // Get GitHub user Details
   const userDetails = await getGitHubUserDetails(ghAccessToken);
   const ghUserName = userDetails.login;
 
   logger.info();
   logSuccess(`Success! Logged into GitHub as ${bold(ghUserName)}`);
   logger.info();
 
   // Prompt for repo and validate by getting the public key
@@ -611,6 +611,10 @@
     // https://github.com/firebase/firebase-tools/issues/2732
     firebaseRoles.authAdmin,
 
+    // Required to add preview URLs to Auth authorized domains
+    // https://github.com/firebase/firebase-tools/issues/6828
+    firebaseRoles.serviceUsageConsumer,
+
     // Required for CLI deploys
     firebaseRoles.apiKeysViewer,