How to authenticate Firebase using GOOGLE_APPLICATION_CREDENTIALS in Azure pipelines
I am attempting to authenticate using GOOGLE_APPLICATION_CREDENTIALS using a service account, but I am receiving an error:
Failed to authenticate, have you run Firebase login?
I have referenced these two stack overflow answers which seem to answer my question, but it is still not working in my environment:
- How to use the GOOGLE_APPLICATION_CREDENTIALS in an Azure Pipeline to publish on firebase?
- Firebase App Distribution Login to firebase using gcloud service account on azure
I am storing my service account json in an Azure Key Vault. I grab the key vault secret, save it in a json file, export a variable to path to the json file, and then attempt to run a Firebase command which results in authentication error.
See my implementation and output below:
- job: Deployment
displayName: Deployment
pool:
vmImage: macOS-13
steps:
- checkout: self
- <REDACTED-TASKS> ...
- script: |
npm install -g firebase-tools
displayName: 'Install Firebase CLI'
- task: AzureKeyVault@2
displayName: Get GOOGLE_APPLICATION_CREDENTIALS from Azure Key Vault
inputs:
azureSubscription: ${{ parameters.serviceConnection }}
keyVaultName: ${{ parameters.keyVaultName }}
secretsFilter: "firebase-credentials"
- script: |
echo $(firebase-credentials) > $(Pipeline.Workspace)/service-account.json
cat $(Pipeline.Workspace)/service-account.json
export GOOGLE_APPLICATION_CREDENTIALS=$(Pipeline.Workspace)/service-account.json
echo $GOOGLE_APPLICATION_CREDENTIALS
firebase projects:list
firebase appdistribution:distribute "<<REDACTED-PATH>>" --app "<<REDACTED-APP-ID>>" --groups "<<REDACTED-GROUP-NAME>>" --release-notes "<<REDACTED-RELEASE-NOTES"
displayName: 'Distribute to Firebase App Distribution [ANDROID]'
Pipeline output:
{ type: service_account, project_id: REDACTED, private_key_id: REDACTED, private_key: -----BEGIN PRIVATE KEY-----\nREDACTED\n-----END PRIVATE KEY-----\n, client_email: REDACTED, client_id: REDACTED, auth_uri: https://accounts.google.com/o/oauth2/auth, token_uri: https://oauth2.googleapis.com/token, auth_provider_x509_cert_url: https://www.googleapis.com/oauth2/v1/certs, client_x509_cert_url: REDACTED, universe_domain: googleapis.com }
/Users/runner/work/1/service-account.json
Error: Failed to authenticate, have you run firebase login?
Error: Failed to authenticate, have you run firebase login?
##[error]Bash exited with code '1'.
You can try like as below:
Follow the similar steps mentioned here to generate and download the JSON file from Firebase console.
Instead of storing the content of this JSON file to Azure Key Vault secret (or as a secret variable in the pipeline), I recommend you directly upload the original JSON file to Secure files on Azure DevOps. Before uploading the JSON file, you can rename it with a custom name if you prefer, but do not make any changes to its content if possible.
In the pipeline:
- You can use the Download secure file task to download the JSON file from Secure files. Once this task runs successfully, it will give an output variable (
<taskName>.secureFilePath) that the value is the path of the downloaded JSON file. - On the subsequent script task to authenticate Firebase, you can use the
envkey to set the path of the downloaded JSON file as the value of the environment variableGOOGLE_APPLICATION_CREDENTIALS.
- You can use the Download secure file task to download the JSON file from Secure files. Once this task runs successfully, it will give an output variable (
See below example as reference.
steps:
- task: DownloadSecureFile@1
name: FirebaseCert
displayName: 'Download Secure File'
inputs:
secureFile: 'Google-Firebase-credentials.json'
- script: |
echo "secureFilePath = $(FirebaseCert.secureFilePath)"
echo "GOOGLE_APPLICATION_CREDENTIALS = $GOOGLE_APPLICATION_CREDENTIALS"
env:
GOOGLE_APPLICATION_CREDENTIALS: $(FirebaseCert.secureFilePath)
displayName: 'Show File Path'
Why recommend this method?
Your original method need to pass the JSON content on the command line to create a JSON file, it might cause the JSON content be exposed in the output logs of the script task. Since the JSON content contains the credentials which are privacy/secret information, exposing the content in the output logs could have security risk.
With the method I shared above, you can avoid the security risk as possible. It is also strongly recommended that never echo privacy/secret information as output, and never pass privacy/secret information on the command line.
In the script task, when you use the command line to read and write the JSON content to a JSON file, it might save the JSON file with a different encoding from the original JSON file which was generated and downloaded from Firebase console. Sometimes, the inconsistent encoding could cause unexpected error when using the JSON file.
With the method I shared above, it can keep the encoding of the JSON file to be consistent as possible.
- s.indexOf is not a function at Function.n.fromString
- Cannot see the logs from Firebase Database in Google Cloud Run to send push notification
- Firebase functions V2: ; SyntaxError: Cannot use import statement outside a module at wrapSafe
- Xcode "Missing package product 'GoogleUtilities_UserDefaults'" after updating to latest package version using SPM
- GCP: Why can't my Backend Bucket find my public files?
- How to output number of documents which match a query?
- Firebase Query Builder and Code get data not showing data
- Generate RTDB key without creating node
- Task :app:uploadCrashlyticsMappingFileRelease FAILED Expected file collection to contain exactly one file, however, it contains no files
- Flutter FirebaseError: Firebase: firebase.auth() takes either no argument or a Firebase App instance. (app/invalid-app-argument)
- How to migrate data from MongoDB to Firestore?
- Unresolved reference 'googleIdToken'
- Firebase Firestore rules with count
- How do I use Flutter's hot reload for a web app that uses Firebase?
- Firebase Rules for Cloud Firestore to limit maximum number of documents read in one go
- How to automatically create indexes for Cloud Firestore?
- Firebase 2.0 functionality without Play services on the device
- Firebase hosting showing welcome page after deploying angular 6 app?
- type 'List<Object?>' is not a subtype of type 'PigeonUserDetails?' in type cast
- Firestore SDK hangs in production
- How to setup different firebase environments(Flavors) in Flutter Web
- FCM push notification error: code: 'messaging/invalid-payload
- How to auto delete messages on firebase
- How to delete firebase data after "n" days
- Setting up dotenv in firebase functions
- How do I fix the error 'Failed to load FirebaseOptions from resource. Check that you have defined values.xml correctly.'
- Is it secure to send the user UID to firebase cloud functions
- Why is Firebase based app not working in Iran?
- Firebase Cloud Firestore throws "client is offline"
- How to update editedRows from DataGrid MUI to firebase?