Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to install or uninstall Revenuecat purchases Firestore Extension #54

Closed
nialljawad96 opened this issue Apr 10, 2023 · 8 comments
Closed

Unable to install or uninstall Revenuecat purchases Firestore Extension #54

nialljawad96 opened this issue Apr 10, 2023 · 8 comments

Comments

@nialljawad96
Copy link

nialljawad96 commented Apr 10, 2023
edited

I have been unable to install or uninstall the Revenuecat Purchases Firestore Extension. After trying to then uninstall, I have received the following error. Note that we have Google Cloud Associated with this project and so IAM permissions etc. There is nothing about this in the documentation and how Google Cloud IAM permissions might affect the Extension installation or uninstallation. My account has full Owner permissions, as well as Service Usage Admin, Firebase Admin, and Eventarc admin. This is the error:

> Error: ; RESOURCE_ERROR at /deployments/firebase-ext-firestore-revenuecat-purchases/resources/mods-api-enable-eventarcpublishing: {"ResourceType":"deploymentmanager.v2.virtual.enableService","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"Permission denied to enable service [eventarcpublishing.googleapis.com]\nHelp Token: help-token-here","status":"PERMISSION_DENIED","details":[{"@type":"type.googleapis.com/google.rpc.PreconditionFailure","violations":[{"type":"googleapis.com","subject":"?error_code=110002&service=serviceusage.googleapis.com&permission=serviceusage.services.enable&resource=project-name"}]},{"@type":"type.googleapis.com/google.rpc.ErrorInfo","reason":"AUTH_PERMISSION_DENIED","domain":"serviceusage.googleapis.com","metadata":{"service":"serviceusage.googleapis.com","permission":"serviceusage.services.enable","resource":"project-name"}}],"statusMessage":"Forbidden","requestPath":"https://serviceusage.googleapis.com/v1/projects/project-name/services/eventarcpublishing.googleapis.com:enable","httpMethod":"POST"}}; RESOURCE_ERROR at /deployments/firebase-ext-firestore-revenuecat-purchases/resources/mods-api-enable-cloudbuild: {"ResourceType":"deploymentmanager.v2.virtual.enableService","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"Permission denied to enable service [cloudbuild.googleapis.com]\nHelp Token: help-token-here","status":"PERMISSION_DENIED","details":[{"@type":"type.googleapis.com/google.rpc.PreconditionFailure","violations":[{"type":"googleapis.com","subject":"?error_code=110002&service=serviceusage.googleapis.com&permission=serviceusage.services.enable&resource=project-name"}]},{"@type":"type.googleapis.com/google.rpc.ErrorInfo","reason":"AUTH_PERMISSION_DENIED","domain":"serviceusage.googleapis.com","metadata":{"service":"serviceusage.googleapis.com","permission":"serviceusage.services.enable","resource":"project-name"}}],"statusMessage":"Forbidden","requestPath":"https://serviceusage.googleapis.com/v1/projects/project-name/services/cloudbuild.googleapis.com:enable","httpMethod":"POST"}}; RESOURCE_ERROR at /deployments/firebase-ext-firestore-revenuecat-purchases/resources/mods-api-enable-artifactregistry: {"ResourceType":"deploymentmanager.v2.virtual.enableService","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"Permission denied to enable service [artifactregistry.googleapis.com]\nHelp Token: help-token-here","status":"PERMISSION_DENIED","details":[{"@type":"type.googleapis.com/google.rpc.PreconditionFailure","violations":[{"type":"googleapis.com","subject":"?error_code=110002&service=serviceusage.googleapis.com&permission=serviceusage.services.enable&resource=project-name"}]},{"@type":"type.googleapis.com/google.rpc.ErrorInfo","reason":"AUTH_PERMISSION_DENIED","domain":"serviceusage.googleapis.com","metadata":{"service":"serviceusage.googleapis.com","permission":"serviceusage.services.enable","resource":"project-name"}}],"statusMessage":"Forbidden","requestPath":"https://serviceusage.googleapis.com/v1/projects/project-name/services/artifactregistry.googleapis.com:enable","httpMethod":"POST"}}; RESOURCE_ERROR at /deployments/firebase-ext-firestore-revenuecat-purchases/resources/mods-api-enable-iam: {"ResourceType":"deploymentmanager.v2.virtual.enableService","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"Permission denied to enable service [iam.googleapis.com]\nHelp Token: help-token-here","status":"PERMISSION_DENIED","details":[{"@type":"type.googleapis.com/google.rpc.PreconditionFailure","violations":[{"type":"googleapis.com","subject":"?error_code=110002&service=serviceusage.googleapis.com&permission=serviceusage.services.enable&resource=project-name"}]},{"@type":"type.googleapis.com/google.rpc.ErrorInfo","reason":"AUTH_PERMISSION_DENIED","domain":"serviceusage.googleapis.com","metadata":{"service":"serviceusage.googleapis.com","permission":"serviceusage.services.enable","resource":"project-name"}}],"statusMessage":"Forbidden","requestPath":"https://serviceusage.googleapis.com/v1/projects/project-name/services/iam.googleapis.com:enable","httpMethod":"POST"}}; RESOURCE_ERROR at /deployments/firebase-ext-firestore-revenuecat-purchases/resources/mods-api-enable-cloudfunctions: {"ResourceType":"deploymentmanager.v2.virtual.enableService","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"Permission denied to enable service [cloudfunctions.googleapis.com]\nHelp Token: help-token-here","status":"PERMISSION_DENIED","details":[{"@type":"type.googleapis.com/google.rpc.PreconditionFailure","violations":[{"type":"googleapis.com","subject":"?error_code=110002&service=serviceusage.googleapis.com&permission=serviceusage.services.enable&resource=project-name"}]},{"@type":"type.googleapis.com/google.rpc.ErrorInfo","reason":"AUTH_PERMISSION_DENIED","domain":"serviceusage.googleapis.com","metadata":{"service":"serviceusage.googleapis.com","permission":"serviceusage.services.enable","resource":"project-name"}}],"statusMessage":"Forbidden","requestPath":"https://serviceusage.googleapis.com/v1/projects/project-name/services/cloudfunctions.googleapis.com:enable","httpMethod":"POST"}}; RESOURCE_ERROR at /deployments/firebase-ext-firestore-revenuecat-purchases/resources/mods-api-enable-eventarc: {"ResourceType":"deploymentmanager.v2.virtual.enableService","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"Permission denied to enable service [eventarc.googleapis.com]\nHelp Token: help-token-here","status":"PERMISSION_DENIED","details":[{"@type":"type.googleapis.com/google.rpc.PreconditionFailure","violations":[{"type":"googleapis.com","subject":"?error_code=110002&service=serviceusage.googleapis.com&permission=serviceusage.services.enable&resource=project-name"}]},{"@type":"type.googleapis.com/google.rpc.ErrorInfo","reason":"AUTH_PERMISSION_DENIED","domain":"serviceusage.googleapis.com","metadata":{"service":"serviceusage.googleapis.com","permission":"serviceusage.services.enable","resource":"project-name"}}],"statusMessage":"Forbidden","requestPath":"https://serviceusage.googleapis.com/v1/projects/project-name/services/eventarc.googleapis.com:enable","httpMethod":"POST"}}; RESOURCE_ERROR at /deployments/firebase-ext-firestore-revenuecat-purchases/resources/mods-api-enable-firebase: {"ResourceType":"deploymentmanager.v2.virtual.enableService","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"Permission denied to enable service [firebase.googleapis.com]\nHelp Token: help-token-here","status":"PERMISSION_DENIED","details":[{"@type":"type.googleapis.com/google.rpc.PreconditionFailure","violations":[{"type":"googleapis.com","subject":"?error_code=110002&service=serviceusage.googleapis.com&permission=serviceusage.services.enable&resource=project-name"}]},{"@type":"type.googleapis.com/google.rpc.ErrorInfo","reason":"AUTH_PERMISSION_DENIED","domain":"serviceusage.googleapis.com","metadata":{"service":"serviceusage.googleapis.com","permission":"serviceusage.services.enable","resource":"project-name"}}],"statusMessage":"Forbidden","requestPath":"https://serviceusage.googleapis.com/v1/projects/project-name/services/firebase.googleapis.com:enable","httpMethod":"POST"}}

I've replaced the help code and project name with the above error.
@alfondotnet
Copy link
Contributor

Hi Niall,

This is indeed a case we haven't seen before. We'll reach out to the Firebase folks to get more information, and get back to you.

@i14h
Copy link
Collaborator

i14h commented Apr 14, 2023

Why is the project name "project-name"?

@nialljawad96
Copy link
Author

@alfondotnet @i14h I've replaced the help token and project name with generic names

@huangjeff5
Copy link

Could you see if you are able to install other extensions? Curious if all extensions on your project run into this issue or just this specific one.

@huangjeff5
Copy link

So Extensions uses Deployment Manager under the hood to enable APIs. Deployment Manager uses a service account with the format <PROJECT_NUMBER>@cloudservices.gserviceaccount.com. Can you check if this service account has the Editor or Owner role?

@nialljawad96
Copy link
Author

nialljawad96 commented Apr 15, 2023
edited

@huangjeff5 @i14h @alfondotnet

The only service account that I can find that's similar is <PROJECT_NUMBER>@cloudbuild.gserviceaccount.com

Here are the permissions currently for this service account, below:

Screenshot 2023-04-15 at 11 17 15

I tried to again uninstall the plugin after adding Owner, Firebase Admin, and Firebase Extensions API Service Agent permissions to this service account but this did not work. It did give me a popup on Firebase Console saying "extension resources might be turned down" - however I've been unable to recreate this popup.

I don't want to install any other plugins and create more issues at the moment - just want this to work.

@huangjeff5
Copy link

Hey @nialljawad96
Thank you, that's very helpful. I suspect the issue is that the Deployment Manager service account's iAM access got removed at some point. That explains why you cannot uninstall the extension, removing Cloud resources is done through Deployment Manager under the hood, and if the service account doesn't have iAM access, it would return an error.

Here's the next steps to try:

  1. Navigate to https://console.cloud.google.com/iam-admin/iam
  2. Near the top left corner of the page, you should see a "Grant Access" button. Click that.
  3. One the "Grant Access" popup shows up on the right side of the page, set "<PROJECT_NUMBER>@cloudservices.gserviceaccount.com" as the principal (replacing <PROJECT_NUMBER> with your actual project number), and select Editor role. Click Save.
  4. Try uninstalling / reinstalling the extension.

@nialljawad96
Copy link
Author

@huangjeff5 thanks very much for your help. Your solution worked. I was able to successfully uninstall, and then freshly install the extension with no issues.

I'm going to close this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@i14h @alfondotnet @huangjeff5 @nialljawad96