Go look up compute service account instead of guessing (#8566)

* Go look up compute service account instead of guessing

* 2 more places

Author: joehan

CHANGELOG.md

@@ -4,6 +4,7 @@
 - Enhance firebase init apphosting to support local source deploys. (#8479)
 - Fixed issue where `firebase init hosting:github` didn't correctly parse the repo input. (#8536)
 - Add GCP API client functions to support App Hosting deploy from source feature. (#8545)
+- Fixed an issue where Extensions, Cloud Functions, and App Hosting would run into issues on projects where the default compute service account was changed.
 - Changed firebase init template for functions to pin runtime version on init. (#8553)
 - Fix an issue where updating a Cloud Function that retires would add incorrect fields to the updateMask. (#8560)
 - Fixed multi tenancy support for SSO users in the auth emulator (#8544)

src/apphosting/secrets/dialogs.spec.ts

@@ -34,36 +34,36 @@ describe("dialogs", () => {
   };
 
   describe("toMetadata", () => {
-    it("handles explicit account", () => {
+    it("handles explicit account", async () => {
       // Note: passing in out of order to verify the results are sorted.
-      const metadata = dialogs.toMetadata("number", [modernA2, modernA]);
+      const metadata = await dialogs.toMetadata("number", [modernA2, modernA]);
 
       expect(metadata).to.deep.equal([
         { location: "l", id: "modernA", buildServiceAccount: "a", runServiceAccount: "a" },
         { location: "l2", id: "modernA2", buildServiceAccount: "a", runServiceAccount: "a" },
       ]);
     });
 
-    it("handles fallback for legacy SAs", () => {
-      const metadata = dialogs.toMetadata("number", [modernA, legacy]);
+    it("handles fallback for legacy SAs", async () => {
+      const metadata = await dialogs.toMetadata("number", [modernA, legacy]);
 
       expect(metadata).to.deep.equal([
         {
           location: "l",
           id: "legacy",
-          ...secrets.serviceAccountsForBackend("number", legacy),
+          ...(await secrets.serviceAccountsForBackend("number", legacy)),
         },
         { location: "l", id: "modernA", buildServiceAccount: "a", runServiceAccount: "a" },
       ]);
     });
 
-    it("sorts by location first and id second", () => {
-      const metadata = dialogs.toMetadata("number", [legacy, modernA, modernA2]);
+    it("sorts by location first and id second", async () => {
+      const metadata = await dialogs.toMetadata("number", [legacy, modernA, modernA2]);
       expect(metadata).to.deep.equal([
         {
           location: "l",
           id: "legacy",
-          ...secrets.serviceAccountsForBackend("number", legacy),
+          ...(await secrets.serviceAccountsForBackend("number", legacy)),
         },
         { location: "l", id: "modernA", buildServiceAccount: "a", runServiceAccount: "a" },
         { location: "l2", id: "modernA2", buildServiceAccount: "a", runServiceAccount: "a" },
@@ -81,18 +81,20 @@ describe("dialogs", () => {
   });
 
   describe("tableForBackends", () => {
-    it("uses 'service account' header if all backends use one service account", () => {
-      const table = dialogs.tableForBackends(dialogs.toMetadata("number", [modernA, modernB]));
+    it("uses 'service account' header if all backends use one service account", async () => {
+      const table = dialogs.tableForBackends(
+        await dialogs.toMetadata("number", [modernA, modernB]),
+      );
       expect(table[0]).to.deep.equal(["location", "backend", "service account"]);
       expect(table[1]).to.deep.equal([
         ["l", "modernA", "a"],
         ["l", "modernB", "b"],
       ]);
     });
 
-    it("uses 'service accounts' header if any backend uses more than one service accont", () => {
-      const table = dialogs.tableForBackends(dialogs.toMetadata("number", [legacy, modernA]));
-      const legacyAccounts = secrets.serviceAccountsForBackend("number", legacy);
+    it("uses 'service accounts' header if any backend uses more than one service accont", async () => {
+      const table = dialogs.tableForBackends(await dialogs.toMetadata("number", [legacy, modernA]));
+      const legacyAccounts = await secrets.serviceAccountsForBackend("number", legacy);
       expect(table[0]).to.deep.equal(["location", "backend", "service accounts"]);
       expect(table[1]).to.deep.equal([
         [
@@ -219,7 +221,7 @@ describe("dialogs", () => {
         unreachable: [],
       });
       prompt.confirm.resolves(true);
-      const accounts = secrets.serviceAccountsForBackend("number", legacy);
+      const accounts = await secrets.serviceAccountsForBackend("number", legacy);
 
       await expect(
         dialogs.selectBackendServiceAccounts("number", "id", {}),
@@ -248,7 +250,7 @@ describe("dialogs", () => {
         unreachable: [],
       });
       prompt.confirm.resolves(false);
-      const legacyAccounts = secrets.serviceAccountsForBackend("number", legacy);
+      const legacyAccounts = await secrets.serviceAccountsForBackend("number", legacy);
 
       await expect(
         dialogs.selectBackendServiceAccounts("number", "id", {}),
@@ -337,7 +339,7 @@ describe("dialogs", () => {
         unreachable: [],
       });
       prompt.checkbox.resolves(["a", "b"]);
-      const legacyAccounts = secrets.serviceAccountsForBackend("number", legacy);
+      const legacyAccounts = await secrets.serviceAccountsForBackend("number", legacy);
 
       await expect(
         dialogs.selectBackendServiceAccounts("number", "id", {}),
@@ -365,7 +367,7 @@ describe("dialogs", () => {
         unreachable: [],
       });
       prompt.checkbox.resolves([]);
-      const legacyAccounts = secrets.serviceAccountsForBackend("number", legacy);
+      const legacyAccounts = await secrets.serviceAccountsForBackend("number", legacy);
 
       await expect(
         dialogs.selectBackendServiceAccounts("number", "id", {}),

src/apphosting/secrets/dialogs.ts

@@ -20,15 +20,15 @@ interface BackendMetadata {
 /**
  * Creates sorted BackendMetadata for a list of Backends.
  */
-export function toMetadata(
+export async function toMetadata(
   projectNumber: string,
   backends: apphosting.Backend[],
-): BackendMetadata[] {
+): Promise<BackendMetadata[]> {
   const metadata: BackendMetadata[] = [];
   for (const backend of backends) {
     // Splits format projects/<unused>/locations/<location>/backends/<id>
     const [, , , location, , id] = backend.name.split("/");
-    metadata.push({ location, id, ...serviceAccountsForBackend(projectNumber, backend) });
+    metadata.push({ location, id, ...(await serviceAccountsForBackend(projectNumber, backend)) });
   }
   return metadata.sort((left, right) => {
     const cmplocation = left.location.localeCompare(right.location);
@@ -140,13 +140,13 @@ export async function selectBackendServiceAccounts(
         "To use this secret, your backend's service account must be granted access. Would you like to grant access now?",
     });
     if (grant) {
-      return toMulti(serviceAccountsForBackend(projectNumber, listBackends.backends[0]));
+      return toMulti(await serviceAccountsForBackend(projectNumber, listBackends.backends[0]));
     }
     utils.logBullet(GRANT_ACCESS_IN_FUTURE);
     return { buildServiceAccounts: [], runServiceAccounts: [] };
   }
 
-  const metadata: BackendMetadata[] = toMetadata(projectNumber, listBackends.backends);
+  const metadata: BackendMetadata[] = await toMetadata(projectNumber, listBackends.backends);
 
   if (metadata.every(matchesServiceAccounts(metadata[0]))) {
     utils.logBullet("To use this secret, your backend's service account must be granted access.");

src/apphosting/secrets/index.spec.ts

@@ -33,21 +33,21 @@ describe("secrets", () => {
   });
 
   describe("serviceAccountsForbackend", () => {
-    it("uses explicit account", () => {
+    it("uses explicit account", async () => {
       const backend = {
         serviceAccount: "sa",
       } as any as apphosting.Backend;
-      expect(secrets.serviceAccountsForBackend("number", backend)).to.deep.equal({
+      expect(await secrets.serviceAccountsForBackend("number", backend)).to.deep.equal({
         buildServiceAccount: "sa",
         runServiceAccount: "sa",
       });
     });
 
-    it("has a fallback for legacy SAs", () => {
+    it("has a fallback for legacy SAs", async () => {
       const backend = {} as any as apphosting.Backend;
-      expect(secrets.serviceAccountsForBackend("number", backend)).to.deep.equal({
+      expect(await secrets.serviceAccountsForBackend("number", backend)).to.deep.equal({
         buildServiceAccount: gcb.getDefaultServiceAccount("number"),
-        runServiceAccount: gce.getDefaultServiceAccount("number"),
+        runServiceAccount: await gce.getDefaultServiceAccount("number"),
       });
     });
   });

src/apphosting/secrets/index.ts

@@ -42,19 +42,19 @@ export function toMulti(accounts: ServiceAccounts): MultiServiceAccounts {
  * Finds the explicit service account used for a backend or, for legacy cases,
  * the defaults for GCB and compute.
  */
-export function serviceAccountsForBackend(
+export async function serviceAccountsForBackend(
   projectNumber: string,
   backend: apphosting.Backend,
-): ServiceAccounts {
+): Promise<ServiceAccounts> {
   if (backend.serviceAccount) {
     return {
       buildServiceAccount: backend.serviceAccount,
       runServiceAccount: backend.serviceAccount,
     };
   }
   return {
-    buildServiceAccount: gcb.getDefaultServiceAccount(projectNumber),
-    runServiceAccount: gce.getDefaultServiceAccount(projectNumber),
+    buildServiceAccount: gcb.getDefaultServiceAccount(projectNumber), // TOOD: Look this up via API
+    runServiceAccount: await gce.getDefaultServiceAccount(projectNumber),
   };
 }
 

src/commands/apphosting-secrets-grantaccess.ts

@@ -71,7 +71,9 @@ export const command = new Command("apphosting:secrets:grantaccess <secretNames>
       backend = await apphosting.getBackend(projectId, location, backendId);
     }
 
-    const accounts = secrets.toMulti(secrets.serviceAccountsForBackend(projectNumber, backend));
+    const accounts = secrets.toMulti(
+      await secrets.serviceAccountsForBackend(projectNumber, backend),
+    );
 
     await Promise.allSettled(
       secretList.map((secretName) =>

src/deploy/extensions/v2FunctionHelper.ts

@@ -6,6 +6,7 @@ import { ensure } from "../../ensureApiEnabled";
 import * as planner from "./planner";
 import { needProjectId } from "../../projectUtils";
 import { computeOrigin } from "../../api";
+import { getDefaultServiceAccount } from "../../gcp/computeEngine";
 
 const SERVICE_AGENT_ROLE = "roles/eventarc.eventReceiver";
 
@@ -28,7 +29,7 @@ export async function ensureNecessaryV2ApisAndRoles(options: any) {
 
 async function ensureComputeP4SARole(projectId: string): Promise<boolean> {
   const projectNumber = await getProjectNumber({ projectId });
-  const saEmail = `${projectNumber}-compute@developer.gserviceaccount.com`;
+  const saEmail = await getDefaultServiceAccount(projectNumber);
 
   let policy;
   try {

src/deploy/functions/checkIam.spec.ts

@@ -58,8 +58,8 @@ describe("checkIam", () => {
   });
 
   describe("obtainDefaultComputeServiceAgentBindings", () => {
-    it("should obtain the bindings", () => {
-      const bindings = checkIam.obtainDefaultComputeServiceAgentBindings(projectNumber);
+    it("should obtain the bindings", async () => {
+      const bindings = await checkIam.obtainDefaultComputeServiceAgentBindings(projectNumber);
 
       expect(bindings.length).to.equal(2);
       expect(bindings).to.include.deep.members([

src/deploy/functions/checkIam.ts

@@ -153,8 +153,10 @@ export function obtainPubSubServiceAgentBindings(projectNumber: string): iam.Bin
  * @param projectNumber project number
  * @param existingPolicy the project level IAM policy
  */
-export function obtainDefaultComputeServiceAgentBindings(projectNumber: string): iam.Binding[] {
-  const defaultComputeServiceAgent = `serviceAccount:${gce.getDefaultServiceAccount(projectNumber)}`;
+export async function obtainDefaultComputeServiceAgentBindings(
+  projectNumber: string,
+): Promise<iam.Binding[]> {
+  const defaultComputeServiceAgent = `serviceAccount:${await gce.getDefaultServiceAccount(projectNumber)}`;
   const runInvokerBinding: iam.Binding = {
     role: RUN_INVOKER_ROLE,
     members: [defaultComputeServiceAgent],
@@ -199,7 +201,7 @@ export async function ensureServiceAgentRoles(
   const requiredBindings = [...flattenArray(nestedRequiredBindings)];
   if (haveServices.length === 0) {
     requiredBindings.push(...obtainPubSubServiceAgentBindings(projectNumber));
-    requiredBindings.push(...obtainDefaultComputeServiceAgentBindings(projectNumber));
+    requiredBindings.push(...(await obtainDefaultComputeServiceAgentBindings(projectNumber)));
   }
   if (requiredBindings.length === 0) {
     return;

src/deploy/functions/ensure.ts

@@ -8,6 +8,7 @@ import { getProject, ProjectInfo } from "../../management/projects";
 import { assertExhaustive } from "../../functional";
 import { cloudbuildOrigin } from "../../api";
 import * as backend from "./backend";
+import { getDefaultServiceAccount } from "../../gcp/computeEngine";
 
 const FAQ_URL = "https://firebase.google.com/support/faq#functions-runtime";
 
@@ -28,7 +29,7 @@ export async function defaultServiceAccount(e: backend.Endpoint): Promise<string
   if (e.platform === "gcfv1") {
     return `${metadata.projectId}@appspot.gserviceaccount.com`;
   } else if (e.platform === "gcfv2") {
-    return `${metadata.projectNumber}-compute@developer.gserviceaccount.com`;
+    return await getDefaultServiceAccount(metadata.projectNumber);
   }
   assertExhaustive(e.platform);
 }

src/deploy/functions/release/fabricator.spec.ts

@@ -775,7 +775,7 @@ describe("Fabricator", () => {
 
         await fab.createV2Function(ep, new scraper.SourceTokenScraper());
         expect(run.setInvokerCreate).to.have.been.calledWith(ep.project, "service", [
-          gce.getDefaultServiceAccount(fab.projectNumber),
+          await gce.getDefaultServiceAccount(fab.projectNumber),
         ]);
       });
 

src/deploy/functions/release/fabricator.ts

@@ -439,7 +439,7 @@ export class Fabricator {
     } else if (backend.isScheduleTriggered(endpoint)) {
       const invoker = endpoint.serviceAccount
         ? [endpoint.serviceAccount]
-        : [gce.getDefaultServiceAccount(this.projectNumber)];
+        : [await gce.getDefaultServiceAccount(this.projectNumber)];
       await this.executor
         .run(() => run.setInvokerCreate(endpoint.project, serviceName, invoker))
         .catch(rethrowAs(endpoint, "set invoker"));
@@ -548,7 +548,7 @@ export class Fabricator {
     } else if (backend.isScheduleTriggered(endpoint)) {
       invoker = endpoint.serviceAccount
         ? [endpoint.serviceAccount]
-        : [gce.getDefaultServiceAccount(this.projectNumber)];
+        : [await gce.getDefaultServiceAccount(this.projectNumber)];
     }
 
     if (invoker) {
@@ -662,14 +662,18 @@ export class Fabricator {
 
   async upsertScheduleV1(endpoint: backend.Endpoint & backend.ScheduleTriggered): Promise<void> {
     // The Pub/Sub topic is already created
-    const job = scheduler.jobFromEndpoint(endpoint, this.appEngineLocation, this.projectNumber);
+    const job = await scheduler.jobFromEndpoint(
+      endpoint,
+      this.appEngineLocation,
+      this.projectNumber,
+    );
     await this.executor
       .run(() => scheduler.createOrReplaceJob(job))
       .catch(rethrowAs(endpoint, "upsert schedule"));
   }
 
   async upsertScheduleV2(endpoint: backend.Endpoint & backend.ScheduleTriggered): Promise<void> {
-    const job = scheduler.jobFromEndpoint(endpoint, endpoint.region, this.projectNumber);
+    const job = await scheduler.jobFromEndpoint(endpoint, endpoint.region, this.projectNumber);
     await this.executor
       .run(() => scheduler.createOrReplaceJob(job))
       .catch(rethrowAs(endpoint, "upsert schedule"));

src/gcp/cloudscheduler.spec.ts

@@ -174,9 +174,9 @@ describe("cloudscheduler", () => {
       uri: "https://my-uri.com",
     };
 
-    it("should copy minimal fields for v1 endpoints", () => {
+    it("should copy minimal fields for v1 endpoints", async () => {
       expect(
-        cloudscheduler.jobFromEndpoint(V1_ENDPOINT, "appEngineLocation", "1234567"),
+        await cloudscheduler.jobFromEndpoint(V1_ENDPOINT, "appEngineLocation", "1234567"),
       ).to.deep.equal({
         name: "projects/project/locations/appEngineLocation/jobs/firebase-schedule-id-region",
         schedule: "every 1 minutes",
@@ -190,9 +190,9 @@ describe("cloudscheduler", () => {
       });
     });
 
-    it("should copy minimal fields for v2 endpoints", () => {
+    it("should copy minimal fields for v2 endpoints", async () => {
       expect(
-        cloudscheduler.jobFromEndpoint(V2_ENDPOINT, V2_ENDPOINT.region, "1234567"),
+        await cloudscheduler.jobFromEndpoint(V2_ENDPOINT, V2_ENDPOINT.region, "1234567"),
       ).to.deep.equal({
         name: "projects/project/locations/region/jobs/firebase-schedule-id-region",
         schedule: "every 1 minutes",
@@ -207,9 +207,9 @@ describe("cloudscheduler", () => {
       });
     });
 
-    it("should copy optional fields for v1 endpoints", () => {
+    it("should copy optional fields for v1 endpoints", async () => {
       expect(
-        cloudscheduler.jobFromEndpoint(
+        await cloudscheduler.jobFromEndpoint(
           {
             ...V1_ENDPOINT,
             scheduleTrigger: {
@@ -245,9 +245,9 @@ describe("cloudscheduler", () => {
       });
     });
 
-    it("should copy optional fields for v2 endpoints", () => {
+    it("should copy optional fields for v2 endpoints", async () => {
       expect(
-        cloudscheduler.jobFromEndpoint(
+        await cloudscheduler.jobFromEndpoint(
           {
             ...V2_ENDPOINT,
             scheduleTrigger: {

src/gcp/cloudscheduler.ts

@@ -224,11 +224,11 @@ export function topicNameForEndpoint(
 }
 
 /** Converts an Endpoint to a CloudScheduler v1 job */
-export function jobFromEndpoint(
+export async function jobFromEndpoint(
   endpoint: backend.Endpoint & backend.ScheduleTriggered,
   location: string,
   projectNumber: string,
-): Job {
+): Promise<Job> {
   const job: Partial<Job> = {};
   job.name = jobNameForEndpoint(endpoint, location);
   if (endpoint.platform === "gcfv1") {
@@ -245,7 +245,8 @@ export function jobFromEndpoint(
       uri: endpoint.uri!,
       httpMethod: "POST",
       oidcToken: {
-        serviceAccountEmail: endpoint.serviceAccount ?? gce.getDefaultServiceAccount(projectNumber),
+        serviceAccountEmail:
+          endpoint.serviceAccount ?? (await gce.getDefaultServiceAccount(projectNumber)),
       },
     };
   } else {