firebase-authenticationfirebase-toolsgoogle-cloud-iam

Firebase error Unable to sync Firebase Auth state

I'm using a service account to deploy using firebase cli from Github action.

This is the set of permissions this account has:

ROLE
roles/cloudfunctions.admin
roles/firebase.sdkAdminServiceAgent
roles/firebaseauth.admin
roles/iam.serviceAccountTokenCreator
roles/storage.admin

But when deploying, still getting this error:

⚠  hosting:channel: Unable to add channel domain to Firebase Auth. Visit the Firebase Console at https://console.firebase.google.com/project/XXXXX-dev3/authentication/providers
⚠  hosting:channel: Unable to sync Firebase Auth state.

BTW: Why is asking to visit https://console.firebase.google.com/project/XXXXX-dev3/authentication/providers?

Solution

  • I executed firebase cli with --debug enabled. Attached the output related to the error.

    For any reason, It is necessary to add the roles/serviceusage.serviceUsageConsumer

    Now, it works with the next list of roles:

    ROLE
roles/cloudfunctions.admin
roles/firebase.sdkAdminServiceAgent
roles/firebaseauth.admin
roles/iam.serviceAccountTokenCreator
roles/serviceusage.serviceUsageConsumer

    Logs:

    2025-04-05T15:35:21.2902860Z [2025-04-05T15:35:21.287Z] >>> [apiv2][query] GET https://identitytoolkit.googleapis.com/admin/v2/projects/XXXXX-dev3/config [none]
2025-04-05T15:35:21.4604631Z [2025-04-05T15:35:21.460Z] <<< [apiv2][status] GET https://identitytoolkit.googleapis.com/admin/v2/projects/XXXXX-dev3/config 403
2025-04-05T15:35:21.4618293Z [2025-04-05T15:35:21.460Z] <<< [apiv2][body] GET https://identitytoolkit.googleapis.com/admin/v2/projects/XXXXX-dev3/config {"error":{"code":403,"message":"Caller does not have required permission to use project XXXXX-dev3. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=XXXXX-dev3 and then retry. Propagation of the new permission may take a few minutes.","status":"PERMISSION_DENIED","details":[{"@type":"type.googleapis.com/google.rpc.ErrorInfo","reason":"USER_PROJECT_DENIED","domain":"googleapis.com","metadata":{"service":"identitytoolkit.googleapis.com","consumer":"projects/XXXXX-dev3","containerInfo":"XXXXX-dev3"}},{"@type":"type.googleapis.com/google.rpc.LocalizedMessage","locale":"en-US","message":"Caller does not have required permission to use project XXXXX-dev3. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=XXXXX-dev3 and then retry. Propagation of the new permission may take a few minutes."},{"@type":"type.googleapis.com/google.rpc.Help","links":[{"description":"Google developer console IAM admin","url":"https://console.developers.google.com/iam-admin/iam/project?project=XXXXX-dev3"}]}]}}
2025-04-05T15:35:21.4628029Z ⚠  hosting:channel: Unable to sync Firebase Auth state. 
2025-04-05T15:35:21.4644147Z [2025-04-05T15:35:21.460Z] [hosting] unable to sync auth domain Request to https://identitytoolkit.googleapis.com/admin/v2/projects/XXXXX-dev3/config had HTTP Error: 403, Caller does not have required permission to use project XXXXX-dev3. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=XXXXX-dev3 and then retry. Propagation of the new permission may take a few minutes. {"name":"FirebaseError","children":[],"context":{"body":{"error":{"code":403,"message":"Caller does not have required permission to use project XXXXX-dev3. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=XXXXX-dev3 and then retry. Propagation of the new permission may take a few minutes.","status":"PERMISSION_DENIED","details":[{"@type":"type.googleapis.com/google.rpc.ErrorInfo","reason":"USER_PROJECT_DENIED","domain":"googleapis.com","metadata":{"service":"identitytoolkit.googleapis.com","consumer":"projects/XXXXX-dev3","containerInfo":"XXXXX-dev3"}},{"@type":"type.googleapis.com/google.rpc.LocalizedMessage","locale":"en-US","message":"Caller does not have required permission to use project XXXXX-dev3. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=XXXXX-dev3 and then retry. Propagation of the new permission may take a few minutes."},{"@type":"type.googleapis.com/google.rpc.Help","links":[{"description":"Google developer console IAM admin","url":"https://console.developers.google.com/iam-admin/iam/project?project=XXXXX-dev3"}]}]}},"response":{"statusCode":403}},"exit":1,"message":"Request to https://identitytoolkit.googleapis.com/admin/v2/projects/XXXXX-dev3/config had HTTP Error: 403, Caller does not have required permission to use project XXXXX-dev3. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=XXXXX-dev3 and then retry. Propagation of the new permission may take a few minutes.","status":403}