I am trying to install and uninstall extensions in Firebase, but I am getting a permission denied error. After looking at the logs, it appears Firebase is attempting to use a non-existent service account to enable the needed services. The service account in question is <PROJECT_ID>@cloudservices.gserviceaccount.com. This service account doesn't exist, and I don't remember ever deleting it. I tried using the service account undelete API call but get a warning that the service account doesn't exist.

Can I change which service account is used by Firebase to manage extensions? What do I need to do to get this working?

Update: After doing a little more digging, it is the Service Usage API service that is failing.

CodePudding user response：

The Service Account most likely exists, it's just not a service account that you can manage directly or have access to: https://cloud.google.com/compute/docs/access/service-accounts#google_apis_service_agent

Firebase Extensions is not using this service account directly, but some other resources that Extensions are trying to provision or depend on do (ex. Deployment Manager, Cloud Build, GCF, etc.).

Typically, this service account must have pretty broad permissions on your project (at least Editor).

One way to resolve this is to go to https://console.cloud.google.com/iam-admin/iam and grant <PROJECT_ID>@cloudservices.gserviceaccount.com role Editor.

CodePudding user response：

I was finally able to find the solution to add the missing service account here: https://stackoverflow.com/a/62655297/3088642. The service account must have been inadvertently delete at some point in the past.