Proper permission for Cloud Build to deploy to Firebase?

Question

Permissions recommended for the Cloud Build service account in the official Google documentation and the Firebase CLI community builder docs are insufficient:

3. In the permissions table, locate the email ending with @cloudbuild.gserviceaccount.com, and click on the pencil icon.
4. Add Cloud Build Service Account, Firebase Admin and API Keys Admin roles.

I still get the following error in Cloud Build when I do firebase deploy:

Error: HTTP Error: 403, The caller does not have permission

What I've tried is different Firebase IAM roles, Editor, and Owner. So far only the Owner role works. That is way too much privilege for a Cloud Build service account, and violates the least-privilege model.

Everything is in the same Google Cloud project.

Anyone know how to troubleshoot this? Or know which role/permission is missing?

Answer 1

For our project (which uses Firestore, Functions, Hosting, and Storage extensively) here is the list we came up with. Critically I wanted to avoid "Firebase Admin" because I did not want this service account to have access to read/write my Firestore data:

• Artifact Registry Administrator
• Cloud Build Service Account
• Cloud Datastore Index Admin
• Cloud Functions Admin
• Cloud RuntimeConfig Admin
• Cloud Scheduler Admin
• Firebase Hosting Admin
• Firebase Rules Admin
• Pub/Sub Admin
• Service Account User

Answer 2

tl;dr seems like it was "an accidental permission expansion" that has been corrected.

I am able restrict the roles to:

1. Cloud Build Service Account
2. Firebase Admin
3. API Keys Admin