Firebase Wiki Deployment Setup
đ Related Issue: Issue #238 - Enable Firebase deployment from AI SWE agent dev container
Overviewâ
This document describes how to enable Firebase wiki deployment from the AI SWE agent dev container using cross-project service account permissions with IAM conditions to restrict access to the wiki site only.
Solution Architectureâ
Key Componentsâ
-
Service Account:
ai-swe-agent@construction-code-expert-test.iam.gserviceaccount.com- Lives in the
-testproject - Already configured in dev container via
GOOGLE_APPLICATION_CREDENTIALS
- Lives in the
-
Target Project:
construction-code-expert-dev- Hosts the Firebase project
- Where wiki deployment happens
-
Wiki Site:
construction-code-expert-dev-wiki- Specific Firebase hosting site for the wiki
- Only target the service account can deploy to
Security Featuresâ
â
Cross-Project Permissions: Service account from -test can deploy to -dev
â Hosting-Only Access: Role limited to Firebase Hosting (not functions, Firestore, etc.)
â
Target Enforcement: Deployment script enforces --only hosting:wiki flag
â Application-Level Security: Firebase CLI respects target specification
â ī¸ Note: Firebase roles don't support IAM conditions at project level (GCP limitation)
Setup Instructionsâ
Step 1: Grant IAM Permissionsâ
Run the setup script to grant permissions:
./cli/sdlc/setup-firebase-wiki-permissions.sh
This script will:
- Grant
roles/firebase.hostingAdminrole - Configure cross-project permissions
- Enable Firebase Hosting deployment only
Manual Command (if you prefer):
gcloud projects add-iam-policy-binding construction-code-expert-dev \
--member="serviceAccount:ai-swe-agent@construction-code-expert-test.iam.gserviceaccount.com" \
--role="roles/firebase.hostingAdmin"
Note: IAM conditions are not supported for Firebase roles. Security is enforced by:
- Role is limited to hosting only (not functions, Firestore, etc.)
- Deployment script specifies
--only hosting:wiki - Firebase CLI enforces the target specification
Step 2: Verify Permissionsâ
./cli/sdlc/verify-firebase-wiki-permissions.sh
Expected output:
â
IAM binding exists: roles/firebase.hostingAdmin
âšī¸ Firebase roles don't support IAM conditions at project level
â
Credentials file exists
â
Credentials match expected service account
Step 3: Test Deploymentâ
cd wiki
firebase deploy --project=construction-code-expert-dev --only hosting:wiki
Or use the smart deployment script:
./cli/sdlc/wiki/deploy-to-firebase-smart.sh
How It Worksâ
Cross-Project IAMâ
Service accounts can be granted permissions across projects:
âââââââââââââââââââââââââââââââ
â construction-code-expert- â
â test â
â â
â âââââââââââââââââââââââââââ â
â â Service Account â â
â â ai-swe-agent@... â â
â âââââââââââââââââââââââââââ â
ââââââââââââââââŦâââââââââââââââ
â
â IAM Permission
â with condition
â
âŧ
âââââââââââââââââââââââââââââââ
â construction-code-expert- â
â dev â
â â
â âââââââââââââââââââââââââââ â
â â Firebase Hosting â â
â â (role: hostingAdmin) â â
â â â â
â â Can deploy to all sites â â
â â Target enforced by CLI â â
â âââââââââââââââââââââââââââ â
âââââââââââââââââââââââââââââââ
Security Enforcementâ
Firebase roles don't support IAM conditions at the project level. Instead, security is enforced through:
1. Role Limitation
roles/firebase.hostingAdminis limited to Firebase Hosting only- Cannot modify Firebase Functions, Firestore rules, or other resources
2. Target Specification
- Deployment script always uses
--only hosting:wiki - Firebase CLI enforces this target specification
3. Application-Level Control
- Firebase CLI requires explicit target in deployment command
- No way to accidentally deploy to wrong target without changing the script
Deployment Flowâ
# 1. Dev container has credentials mounted
GOOGLE_APPLICATION_CREDENTIALS=/workspaces/construction-code-expert/.secrets/agent-credentials/construction-code-expert-test.ai-swe-agent.json
# 2. Deployment script detects credentials
./cli/sdlc/wiki/deploy-to-firebase-smart.sh
# 3. Firebase CLI uses service account
firebase deploy --project=construction-code-expert-dev --only hosting:wiki
# 4. IAM checks:
# â
Service account has firebase.hostingAdmin role
# â
Deployment proceeds
# 5. Target is enforced by script:
# â
Script always specifies --only hosting:wiki
# â
Cannot deploy to other targets without modifying the script
Verificationâ
Check IAM Bindingâ
gcloud projects get-iam-policy construction-code-expert-dev \
--flatten="bindings[].members" \
--filter="bindings.members:serviceAccount:ai-swe-agent@construction-code-expert-test.iam.gserviceaccount.com" \
--format="table(bindings.role)"
Expected output:
ROLE
roles/firebase.hostingAdmin
Test Deploymentâ
# Should succeed - wiki site deployment using our script
cd wiki && ./cli/sdlc/wiki/deploy-to-firebase-smart.sh
# Manual deployment also works
cd wiki && firebase deploy --project=construction-code-expert-dev --only hosting:wiki
# Note: The service account CAN technically deploy to other targets if commanded
# Security relies on our deployment scripts only targeting wiki
Troubleshootingâ
Deployment Fails with "Permission Denied"â
Problem: Error: HTTP Error: 403, Permission denied
Solutions:
-
Check IAM binding exists:
./cli/sdlc/verify-firebase-wiki-permissions.sh -
Verify credentials are loaded:
echo $GOOGLE_APPLICATION_CREDENTIALS
cat $GOOGLE_APPLICATION_CREDENTIALS | jq .client_email -
Check you're deploying with correct project:
# Verify project ID
cat wiki/.firebaserc
# Deploy explicitly
firebase deploy --project=construction-code-expert-dev --only hosting:wiki
Wrong Service Accountâ
Problem: Deployment uses wrong service account
Solution: Ensure GOOGLE_APPLICATION_CREDENTIALS is set in dev container:
# Check environment variable
echo $GOOGLE_APPLICATION_CREDENTIALS
# Verify service account email
cat $GOOGLE_APPLICATION_CREDENTIALS | jq .client_email
Should show:
ai-swe-agent@construction-code-expert-test.iam.gserviceaccount.com
Role Not Sufficientâ
Problem: Permission denied even with role granted
Solution: Verify the role is actually granted:
# Check IAM policy
gcloud projects get-iam-policy construction-code-expert-dev \
--flatten="bindings[].members" \
--filter="bindings.members:serviceAccount:ai-swe-agent@construction-code-expert-test.iam.gserviceaccount.com"
# If missing, grant it
./cli/sdlc/setup-firebase-wiki-permissions.sh
Security Considerationsâ
Why Cross-Project Permissions Are Safeâ
- Explicit Grant: Permissions must be explicitly granted (not automatic)
- Auditable: All cross-project access is logged in Cloud Audit Logs
- Revocable: Can be removed instantly if compromised
- Role-Limited: Only Firebase Hosting permissions, not full project access
Why Role Limitation Mattersâ
The firebase.hostingAdmin role is limited to hosting operations only:
What it CAN do:
- â Deploy to Firebase Hosting sites
- â Delete hosting releases
- â View hosting configuration
What it CANNOT do:
- â Update Firebase Functions
- â Modify Firestore security rules
- â Change Firebase Authentication settings
- â Access other Firebase resources
Application-Level Protection:
- Our deployment scripts always specify
--only hosting:wiki - Firebase CLI requires explicit target specification
- Accidental deployment to other sites requires script modification (visible in version control)
Monitoringâ
View deployment activity:
# View audit logs for Firebase deployments
gcloud logging read \
"resource.type=firebase.hosting.site
AND protoPayload.authenticationInfo.principalEmail=ai-swe-agent@construction-code-expert-test.iam.gserviceaccount.com" \
--project=construction-code-expert-dev \
--limit=10 \
--format=json
Rollbackâ
To remove permissions:
gcloud projects remove-iam-policy-binding construction-code-expert-dev \
--member="serviceAccount:ai-swe-agent@construction-code-expert-test.iam.gserviceaccount.com" \
--role="roles/firebase.hostingAdmin"
Related Documentationâ
- AI Agent Setup - Service account provisioning
- Wiki Implementation - Wiki system overview
- Wiki Workflow - Wiki deployment workflow