I'm trying to deploy firebase rules using firebase cli. I want to achieve that using service account impersonation, which works for other operations that I perform, but surely not when using firebase cli.
I get the following error, despite setting auth/impersonate_service_account setting in my config.
Error: HTTP Error: 403, Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the firebaserules.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/. If you are getting this error with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes. For more information regarding 'X-Goog-User-Project' header, please check https://cloud.google.com/apis/docs/system-parameters.
The solution that worked is the following:
firebase \
--token $(gcloud auth print-access-token --impersonate-service-account=<sa>) \
deploy --only firestore:rules