I am attempting to authenticate using GOOGLE_APPLICATION_CREDENTIALS using a service account, but I am receiving an error:
Failed to authenticate, have you run Firebase login?
I have referenced these two stack overflow answers which seem to answer my question, but it is still not working in my environment:
I am storing my service account json in an Azure Key Vault. I grab the key vault secret, save it in a json file, export a variable to path to the json file, and then attempt to run a Firebase command which results in authentication error.
See my implementation and output below:
- job: Deployment
displayName: Deployment
pool:
vmImage: macOS-13
steps:
- checkout: self
- <REDACTED-TASKS> ...
- script: |
npm install -g firebase-tools
displayName: 'Install Firebase CLI'
- task: AzureKeyVault@2
displayName: Get GOOGLE_APPLICATION_CREDENTIALS from Azure Key Vault
inputs:
azureSubscription: ${{ parameters.serviceConnection }}
keyVaultName: ${{ parameters.keyVaultName }}
secretsFilter: "firebase-credentials"
- script: |
echo $(firebase-credentials) > $(Pipeline.Workspace)/service-account.json
cat $(Pipeline.Workspace)/service-account.json
export GOOGLE_APPLICATION_CREDENTIALS=$(Pipeline.Workspace)/service-account.json
echo $GOOGLE_APPLICATION_CREDENTIALS
firebase projects:list
firebase appdistribution:distribute "<<REDACTED-PATH>>" --app "<<REDACTED-APP-ID>>" --groups "<<REDACTED-GROUP-NAME>>" --release-notes "<<REDACTED-RELEASE-NOTES"
displayName: 'Distribute to Firebase App Distribution [ANDROID]'
Pipeline output:
{ type: service_account, project_id: REDACTED, private_key_id: REDACTED, private_key: -----BEGIN PRIVATE KEY-----\nREDACTED\n-----END PRIVATE KEY-----\n, client_email: REDACTED, client_id: REDACTED, auth_uri: https://accounts.google.com/o/oauth2/auth, token_uri: https://oauth2.googleapis.com/token, auth_provider_x509_cert_url: https://www.googleapis.com/oauth2/v1/certs, client_x509_cert_url: REDACTED, universe_domain: googleapis.com }
/Users/runner/work/1/service-account.json
Error: Failed to authenticate, have you run firebase login?
Error: Failed to authenticate, have you run firebase login?
##[error]Bash exited with code '1'.
You can try like as below:
Follow the similar steps mentioned here to generate and download the JSON file from Firebase console.
Instead of storing the content of this JSON file to Azure Key Vault secret (or as a secret variable in the pipeline), I recommend you directly upload the original JSON file to Secure files on Azure DevOps. Before uploading the JSON file, you can rename it with a custom name if you prefer, but do not make any changes to its content if possible.
In the pipeline:
<taskName>.secureFilePath
) that the value is the path of the downloaded JSON file.env
key to set the path of the downloaded JSON file as the value of the environment variable GOOGLE_APPLICATION_CREDENTIALS
.See below example as reference.
steps:
- task: DownloadSecureFile@1
name: FirebaseCert
displayName: 'Download Secure File'
inputs:
secureFile: 'Google-Firebase-credentials.json'
- script: |
echo "secureFilePath = $(FirebaseCert.secureFilePath)"
echo "GOOGLE_APPLICATION_CREDENTIALS = $GOOGLE_APPLICATION_CREDENTIALS"
env:
GOOGLE_APPLICATION_CREDENTIALS: $(FirebaseCert.secureFilePath)
displayName: 'Show File Path'
Your original method need to pass the JSON content on the command line to create a JSON file, it might cause the JSON content be exposed in the output logs of the script task. Since the JSON content contains the credentials which are privacy/secret information, exposing the content in the output logs could have security risk.
With the method I shared above, you can avoid the security risk as possible. It is also strongly recommended that never echo privacy/secret information as output, and never pass privacy/secret information on the command line.
In the script task, when you use the command line to read and write the JSON content to a JSON file, it might save the JSON file with a different encoding from the original JSON file which was generated and downloaded from Firebase console. Sometimes, the inconsistent encoding could cause unexpected error when using the JSON file.
With the method I shared above, it can keep the encoding of the JSON file to be consistent as possible.