错误:无法加载默认凭据.上下文:firebase登录:ci和firebase auth:导出 [英] Error: Could not load the default credentials. context: firebase login:ci AND firebase auth:export

问题描述

免责声明:有很多类似的问题提到同一条错误消息，但我读了很多，但都没有涉及到我的上下文.

Disclaimer: There are lots of similar questions mentioning the same error message but I read many and none of them pertained to my context.

我正在尝试使用命令 firebase自动导出Firebase身份验证数据库-调试auth:export .该命令在我的本地计算机上完美执行.但是，当我尝试在CI上运行它时，它失败并显示以下错误消息:

I am trying to automate exporting the Firebase Authentication database using the command firebase --debug auth:export. The command executes flawlessly on my local machine. But when I try to run it on CI it fails with the following error message:

[2021-04-27T20:48:23.188Z] > command requires scopes: ["email","openid","https://www.googleapis.com/auth/cloudplatformprojects.readonly","https://www.googleapis.com/auth/firebase","https://www.googleapis.com/auth/cloud-platform"]
[2021-04-27T20:48:26.208Z] Error: Could not load the default credentials. Browse to https://cloud.google.com/docs/authentication/getting-started for more information.
    at GoogleAuth.getApplicationDefaultAsync (/home/node/.npm-global/lib/node_modules/firebase-tools/node_modules/google-auth-library/build/src/auth/googleauth.js:160:19)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at runNextTicks (internal/process/task_queues.js:66:3)
    at listOnTimeout (internal/timers.js:518:9)
    at processTimers (internal/timers.js:492:7)
    at async GoogleAuth.getClient (/home/node/.npm-global/lib/node_modules/firebase-tools/node_modules/google-auth-library/build/src/auth/googleauth.js:502:17)
    at async GoogleAuth.getAccessToken (/home/node/.npm-global/lib/node_modules/firebase-tools/node_modules/google-auth-library/build/src/auth/googleauth.js:524:24)
Error: An unexpected error has occurred.

我正在尝试在 Gitlab预定管道使用.gitlab-ci.yml文件.为此，我了解我需要使用 firebase登录进行身份验证:ci 命令.我这样做是因为我的.gitlab-ci.yml工作中的其他 firebase 命令(例如 firebase use 和 firebase deploy )知道令牌是有效的，代码>.

I am trying to run this command in a Gitlab Scheduled Pipeline using a .gitlab-ci.yml file. For that to work I understand I need to authenticate using the firebase login:ci command. I did that and I know the token is valid because other firebase commands in my .gitlab-ci.yml work, for instance firebase use and firebase deploy.

这是我的.gitlab-ci.yml的简化版:

Here is a simplified version of my .gitlab-ci.yml:

stages:
  - stg_backups

jb_auth_backup:
  stage: stg_backups
  image: devillex/docker-firebase
  only:
    - schedules
  script:
    - firebase use --token $MY_CI_FIREBASE_DEPLOY_KEY $MY_FIREBASE_PROJECT
    - mkdir backups
    - firebase --debug auth:export backups/my-auth-backup.json --format=JSON
  artifacts:
    paths:
      - backups

将环境变量正确设置为 Gitlab项目变量.

The environment variables are set correctly as Gitlab Project variables.

我尝试刷新我的Firebase身份验证令牌，但这没有用.我曾尝试阅读以下类似帖子中的错误消息，但由于他们谈论的是Google Cloud Platform服务帐户，因此我不确定与Firebase身份验证令牌有什么关系或与之相关.

I have tried refreshing my firebase authentication token but that didn't work. I have tried reading about the error message in posts like the following, but since they talk about Google Cloud Platform service accounts, I am not sure how or if that's related to firebase authentication tokens.

• 错误错误:无法加载默认凭据
• 无法加载默认值证书?(Node.js Google Compute Engine教程)
• 错误:无法加载默认值凭据(用于Firestore的Firebase函数)

我还分析了分配给我的Google用户角色的权限.我的Google用户具有所有者"在IAM中.我在IAM中发现了另一个似乎相关的角色:"Firebase身份验证管理员".该角色具有15个权限，我确认​​为所有者"也具有以下权限:

I have also analyzed the permissions assigned to the role my Google user has. My Google user has "Owner" in the IAM. I found another role in the IAM that seems relevant: "Firebase Authentication Admin". That role has 15 permissions I confirmed "Owner" also has these permissions:

1. firebase.clients.get
2. firebase.clients.list
3. firebase.projects.get
4. firebaseauth.configs.create
5. firebaseauth.configs.get
6. firebaseauth.configs.getHashConfig
7. firebaseauth.configs.update
8. firebaseauth.users.create
9. firebaseauth.users.createSession
10. firebaseauth.users.delete
11. firebaseauth.users.get
12. firebaseauth.users.sendEmail
13. firebaseauth.users.update
14. resourcemanager.projects.get
15. resourcemanager.projects.list

但是，错误消息说它需要范围".是范围"吗?和权限"不同的?我还没有看到有关范围"的任何文档.在IAM文档中.所以我不确定我是否在寻找正确的文档.

However, the error message says it "requires scopes". Are "scopes" and "permissions" different? I haven't seen any documentation about "scopes" in the IAM documentation. So I'm not sure if I'm looking at the right documentation.

有人知道如何运行 firebase --debug auth:export 来自 Gitlab计划的管道?

推荐答案

，应将-token< token> 传递给每个 firebase 命令:

As implied by the Firebase CLI reference section "Use the CLI with CI systems", the --token <token> should be passed to every firebase command:

1. 在运行firebase命令时使用此令牌.您可以使用以下两个选项:

1. Use this token when running firebase commands. You can use either of the following two options:

• 将令牌存储为环境变量FIREBASE_TOKEN.你的系统将自动使用令牌.

• Store the token as the environment variable FIREBASE_TOKEN. Your system will automatically use the token.

在CI中运行带有--token标志的所有firebase命令系统.令牌加载的优先顺序是标志，环境变量，所需的Firebase项目.

Run all firebase commands with the --token flag in your CI system. The order of precedence for token loading is flag, environment variable, desired Firebase project.

尽管.codelab--ci.yml脚本中的-token< token> 传递给了 firebase use 命令，但并未传递给 firebase auth:export 命令.不要以为 firebase use 不仅可以保存活动项目选择，还可以保存令牌.根据 firebase帮助使用，其唯一目的是为您的工作目录设置一个活动的Firebase项目".关于设置活动令牌，它什么也没说.

Although --token <token> is passed to the firebase use command in the .gitlab-ci.yml script, it is not being passed to the firebase auth:export command. Don't assume that firebase use saves not only the active project selection but also the token. According to firebase help use, its only purpose is to "set an active Firebase project for your working directory". It says nothing about setting an active token.

我已经确认以下.gitlab-ci.yml脚本确实成功导出了Firebase身份验证数据库:

I have confirmed the following .gitlab-ci.yml script does, in fact, export the Firebase authentication database successfully:

stages:
  - stg_backups

jb_auth_backup:
  stage: stg_backups
  image: devillex/docker-firebase
  only:
    - schedules
  script:
    - firebase --token $MY_CI_FIREBASE_DEPLOY_KEY use $MY_FIREBASE_PROJECT
    - mkdir backups
    - firebase --token $MY_CI_FIREBASE_DEPLOY_KEY auth:export backups/my-auth-backup.json --format=JSON
  artifacts:
    paths:
      - backups

请注意， firebase use 和 firebase auth:export 命令的语法均已从原始.gitlab-ci.yml进行了更改.现在，他们都将-token< token> 放在 firebase 可执行命令之后.根据 firebase帮助，此方法可以更好地遵守已记录的语法.那里说正确的语法是 firebase [options] [command] ，其中-token 是选项之一.

Note that the syntax of both the firebase use and firebase auth:export commands have been changed from the original .gitlab-ci.yml. They now both put the --token <token> right after the firebase executable command. This adheres better to the documented syntax according to firebase help. There it says the correct syntax is firebase [options] [command] where --token is one of the options. 

事实上，甚至还不清楚 firebase是否使用--token< my_token>< my_project> 甚至对令牌都格外注意，因为它是在之后而不是之前使用 use 命令.Firebase使用--token 太糟糕了，不仅仅是抛出一个错误让用户知道-token 属于 [options] 是 firebase 而不是 [options] 用于 use .

In fact, it's not even clear whether firebase use --token <my_token> <my_project> even paid any attention to the token since it's after instead of before the use command. It's too bad firebase use --token doesn't just throw an error to let the user know that --token belongs to the [options] for firebase not the [options] for use.

这篇关于错误:无法加载默认凭据.上下文:firebase登录:ci和firebase auth:导出的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！