fix(init hosting:github): add authAdmin role to service account (#2736)

* Add authAdmin role

* changelog

Co-authored-by: Bryan Kendall <[email protected]>

Author: jhuleatt

CHANGELOG.md

@@ -1,2 +1,3 @@
 - Fixes issue when running in a Node 8 environment where `URL` was not defined. (#2817)
 - Sets `FIREBASE_AUTH_EMULATOR_HOST` in `emulators:exec`.
+- Updates roles for Firebase Hosting's channels GitHub action to allow the action to update authorized domains.

src/gcp/resourceManager.ts

@@ -4,9 +4,11 @@ import { Binding, getServiceAccount, Policy } from "./iam";
 
 const API_VERSION = "v1";
 
+// Roles listed at https://firebase.google.com/docs/projects/iam/roles-predefined-product
 export const firebaseRoles = {
-  hostingAdmin: "roles/firebasehosting.admin",
   apiKeysViewer: "roles/serviceusage.apiKeysViewer",
+  authAdmin: "roles/firebaseauth.admin",
+  hostingAdmin: "roles/firebasehosting.admin",
   runViewer: "roles/run.viewer",
 };
 

src/init/features/hosting/github.ts

@@ -543,11 +543,19 @@ async function createServiceAccountAndKey(
     }
   }
 
-  // The roles for the service account.
-  // https://firebase.google.com/docs/projects/iam/roles-predefined-product#hosting
+  // Service account roles
   const requiredRoles = [
-    firebaseRoles.hostingAdmin,
+    // Required to add preview URLs to Auth authorized domains
+    // https://github.com/firebase/firebase-tools/issues/2732
+    firebaseRoles.authAdmin,
+
+    // Required for CLI deploys
     firebaseRoles.apiKeysViewer,
+
+    // Required to deploy preview channels
+    firebaseRoles.hostingAdmin,
+
+    // Required for projects that use Hosting rewrites to Cloud Run
     firebaseRoles.runViewer,
   ];
   await addServiceAccountToRoles(options.projectId, accountId, requiredRoles);