Search code examples
firebasegoogle-cloud-platformgoogle-cloud-firestoregoogle-cloud-datastore

FirebaseError: Missing or insufficient permissions after deleting Google Service Accounts

Use Case

I am using Firebase JS SDK to access Cloud Firestore from Browser, so that I can push UI Logs and Errors into Firestore.

Issue

It was all working fine until I, accidentally, deleted most of the Service Accounts in my Google Cloud Platform inside APIs & Services → Credentials.

Below is the sample Config that we use for a Firebase Web App:

<script src="https://www.gstatic.com/firebasejs/7.13.1/firebase-app.js"></script>
<script>
    // Your web app's Firebase configuration
    var firebaseConfig = {
        apiKey: "AIzaSyCztfcT6k6yXXXXXXXXXXXXXXXXXX",
        authDomain: "<some-domain>.firebaseapp.com",
        databaseURL: "https://<some-domain>.firebaseio.com",
        projectId: "<some-domain>",
        storageBucket: "<some-domain>.appspot.com",
        messagingSenderId: "877458876543",
        appId: "1:877458876543:web:9a9287dee234cd655ab7f2"
    };
    // Initialize Firebase
    firebase.initializeApp(firebaseConfig);
</script>

I even tried reading Firebase Service Accounts Overview, but could not decide which Service Account to use for Firestore. Then, I tried adding different Service Accounts according to my Project ID and giving them Owner permissions to my Project, but it didn't work.

Full Error I am getting in Browser's Console:

Uncaught (in promise) FirebaseError: Missing or insufficient permissions.
    at new Hr (https://www.gstatic.com/firebasejs/7.8.2/firebase-firestore.js:1:48219)
    at https://www.gstatic.com/firebasejs/7.8.2/firebase-firestore.js:1:378673
    at wr.<anonymous> (https://www.gstatic.com/firebasejs/7.8.2/firebase-firestore.js:1:377569)
    at Wt (https://www.gstatic.com/firebasejs/7.8.2/firebase-firestore.js:1:15221)
    at wr.S.dispatchEvent (https://www.gstatic.com/firebasejs/7.8.2/firebase-firestore.js:1:16063)
    at Er.ua (https://www.gstatic.com/firebasejs/7.8.2/firebase-firestore.js:1:45322)
    at nr.S.Fa (https://www.gstatic.com/firebasejs/7.8.2/firebase-firestore.js:1:43229)
    at Ge (https://www.gstatic.com/firebasejs/7.8.2/firebase-firestore.js:1:21453)
    at qe (https://www.gstatic.com/firebasejs/7.8.2/firebase-firestore.js:1:20854)
    at Me.S.Ja (https://www.gstatic.com/firebasejs/7.8.2/firebase-firestore.js:1:23264)

Actually, I want to cleanup my Service Accounts as there were many created by myself. Please guide in telling which Service Account to use and what suitable Permissions to give.

Solution

  • Firestore Security Rules depend on a service account named service-PROJECT_NUMBER@firebase-rules.iam.gserviceaccount.com with the role roles/firebaserules.system. You can use gcloud to restore this account:

    gcloud projects add-iam-policy-binding PROJECT_ID --member=serviceAccount:service-PROJECT_NUMBER@firebase-rules.iam.gserviceaccount.com --role=roles/firebaserules.system

    To get the project number, see Identifying projects.