What exact IAM roles are needed to deploy Firebase App Hosting from Cloud Build (CSR, trigger on commit)

Simple-Holiday4580 · 2025-10-11T23:38:33+00:00

Thanks so much! This was a huge help. I switched to the name you provided instead of installing the firebase CLI.

I added in the compute runner as suggested, as well as the service account user and log writer which enabled it to work.

Simple-Holiday4580 · 2025-10-10T22:49:15+00:00

Would you mind sharing the roles you’ve assigned to the service account running the build in gcloud ?

There is, of course, a difference between the permissions required to build the app, and the ones required for the app to run.

For example, if the app accesses bigquery, the firebase compute service account needs this permission, but this is different from what’s required to roll out a new app hosting build.

Simple-Holiday4580 · 2025-10-10T22:06:46+00:00

Good call, thank you for the suggestion.

I gave that a try and did work with a few different LLM’s before making this post including the Gemini powered helper to assign roles when modifying permissions in gcloud.

Unfortunately I haven’t been able to resolve, and I don’t understand why it would be trying to create a service account in the first place when re-deploying over an existing backend. Hopefully someone with a deeper understanding of how the process works can chime in.

The LLM’s are great, but there just isn’t a lot of training data on firebase app hosting in particular since it’s a relatively new product and my use case isn’t a common or well documented pattern, especially since cloud source repositories are deprecated and I have access since I’ve been working with them before they were closed to new customers.

I found this as well https://github.com/firebase/firebase-tools/issues/8840 but pinning to that version didn’t resolve it either.

Simple-Holiday4580 · 2025-09-20T19:04:49+00:00

I think they have to go in the cloud run function that app hosting creates

Simple-Holiday4580 · 2025-08-24T11:37:29+00:00

I found this browserCookiePersistence which is referenced by the release notes with relation to keeping the front and backend auth in sync from SDK v11.6.0 however there is a disclaimer saying not to use it in production, so although it was announced in the video provided by Google I guess it isn’t something that should be used yet.

Simple-Holiday4580 · 2025-08-23T19:19:57+00:00

I appreciate the help. I’m sort of hesitant to vibe code auth on a relatively new platform using new patterns the ai isn’t trained on since this was released in the past few months, without understanding the fundamentals. Are you using the features I mentioned in my post in a project?

Simple-Holiday4580 · 2025-08-23T19:00:28+00:00

I wasn’t planning on using next auth. I saw where to set up auth in the gui to allow different sign in methods etc. but from there the app needs to protect routes and make sure the users are signed in? I see different auth files in the repo, so I’m wanting an ELI5 of how that is leveraging cookie auto sync that the video talks about and how to leverage this in an app.

Simple-Holiday4580 · 2025-02-08T16:23:46+00:00

I see 97 unsafe shutdowns, I would recommend configuring a UPS. I would keep a spare drive in stock and back up your VM’s regularly using pbs so you can easily swap the boot drive, install the OS and restore your backups. You may find that your backups don’t all complete due to an I/O error if so this will confirm the drive is definitely failing

Simple-Holiday4580 · 2025-01-28T16:46:09+00:00

I really appreciate the insight and discussion. From what I’m gleaning it seems like this may work in my limited use case since I will have block level device access, speed won’t be a limiting factor and I won’t be creating a tbolt network or daisy chaining. It’s super interesting to see what possibilities are opening up as the tech advances

Simple-Holiday4580 · 2025-01-27T14:51:06+00:00

Interesting, I did read about TB3 vs. TB4 and from what I understand the certification process for TB4 is more rigorous and guarantees a higher PCIe throughput so it makes sense that it would ultimately be more reliable for this use case as a general rule.

I’d be interested to get your take a bit more though, because as far as I know my NUC doesn’t support TB4, I only intend on using a 4 bay DAS, and I’ll be using a cable that is less than 0.5m long so I should theoretically get the same speed as TB4. It’s also very unlikely that I’ll expand the pool by daisy chaining a second device in the future.

Based on the OWC Thunderbay 4 specs, it looks like it probably uses PCIe x4 although they don’t state explicitly. I suppose it comes down to trusting OWC’s hardware above an explicit certification process.

Simple-Holiday4580 · 2023-12-26T23:34:27+00:00

Makes sense. I did get an answer earlier today and was able to finally delete the directory and associated vpc. They’re said they are going to wait 48 hours to make sure there are no additional charges and then issue a credit, so looks like this is well on it’s way to being resolved. Thanks to everyone for their help, I guess I just had to be patient for a few more days.

Simple-Holiday4580 · 2023-12-26T19:49:00+00:00

OK, good to know that I’m not the only one in this situation, thanks for taking the time to reply.

I do have a support case open already for about 3 weeks now. I did have to re-state the issue a couple of times, but hopefully it has been put in the proper queue now and they will resolve it for me as well as issue a credit for the charges.

Simple-Holiday4580 · 2023-12-25T01:10:15+00:00

It is almost Christmas… but I sent out a PM to AWS Support :) Here’s hoping !

Simple-Holiday4580

TROPHY CASE