[REQUIRED] Environment info
firebase-tools: 12.5.3
Platform: macOS
[REQUIRED] Test case
from firebase_functions.scheduler_fn import on_schedule, ScheduledEvent
@on_schedule(
schedule="*/15 * * * *",
region="europe-west3",
ingress="ALLOW_INTERNAL_ONLY",
concurrency=1,
preserve_external_changes=True,
)
def update_prd_from_meeting_transcripts(event: ScheduledEvent) -> None:
print(event["job_name"], event["schedule_time"])
return
[REQUIRED] Steps to reproduce
- Deploy the example function above (scheduled function) with
firebase deploy functions --project $PROJECT_ID
- Create a custom service account (we use terraform, but Cloud Console would work, too)
- Update the created CloudScheduler job to use the custom service account created in 2 (we use terraform, but Cloud Console would work, too)
- Add a
role/run.invoker IAM binding to the CloudRun service created in 1., with the custom service account created in 2 being one of the members.
- Re-deploy the function or deploy an update with
firebase deploy functions --project $PROJECT_ID
[REQUIRED] Expected behavior
The updated function is deployed and the role/run.invoker on the Cloud Run service is either not updated or only updated additively in order to preserve my changes.
As using the default compute service account is discouraged as a security risk this is an important behavior to rely on for mature organisations that have a requirement not to use the default compute service account.
[REQUIRED] Actual behavior
The updated function is deployed and the role/run.invoker on the Cloud Run service is set to contain only the default compute service account.
This is due to the following code in firebase cli:
- Updating the CloudRun permission replaces the members for the invoker role instead of doing an additive update here.
- When updating a scheduled function, its invokers are hard-coded to the default compute service account here.
Since this log contains a lot of sensitive information, I'd like to provide it if required, which I don't believe is the case as there is a 100% reproduction and there is a clear connection to code in the description above.
[REQUIRED] Environment info
firebase-tools: 12.5.3
Platform: macOS
[REQUIRED] Test case
[REQUIRED] Steps to reproduce
firebase deploy functions --project $PROJECT_IDrole/run.invokerIAM binding to the CloudRun service created in 1., with the custom service account created in 2 being one of the members.firebase deploy functions --project $PROJECT_ID[REQUIRED] Expected behavior
The updated function is deployed and the
role/run.invokeron the Cloud Run service is either not updated or only updated additively in order to preserve my changes.As using the default compute service account is discouraged as a security risk this is an important behavior to rely on for mature organisations that have a requirement not to use the default compute service account.
[REQUIRED] Actual behavior
The updated function is deployed and the
role/run.invokeron the Cloud Run service is set to contain only the default compute service account.This is due to the following code in firebase cli:
Since this log contains a lot of sensitive information, I'd like to provide it if required, which I don't believe is the case as there is a 100% reproduction and there is a clear connection to code in the description above.