Creation of Github Actions workflow does not work when service account key creation is prevented

[IchordeDionysos]

[REQUIRED] Environment info

firebase-tools: 10.6.0

Platform: macOS

[REQUIRED] Steps to reproduce

1. Create a new Google Cloud project / organization
2. Enforce the organizational policy constraints/iam.disableServiceAccountKeyCreation.
3. Run firebase init hosting
4. Try to set up GitHub Actions deployments.

[REQUIRED] Expected behavior

There are several levels of support that I could be implemented:

1. Soft-fail: Do not block the whole init just because this org-policy is enabled (this is the minimum that should be done)
2. Skip adding the secret: Do not add the secret to Github, but add all other files for Github Actions (put a warning).
3. Adjust template for Identity Federation: Detect that Workload Identity Federation is required here, so adjust the template for this, so that it's super easy to set up the rest for authentication (but do not yet set up Workflow Identity pools, etc. would be up for the user)
4. Set up Workload Identity Federation: Set up everything for workload identity federation when key creation is not possible!
5. Always use Workload Identity Federation: Never try to use a service account key, but always use Workload Identity Federation (as it's discouraged to use Service Account keys)

At least have 3. would be nice and should be fairly easy to build!

Background reading on Github Actions and Workload Identity federation:
https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions

[REQUIRED] Actual behavior

The firebase init command fails with the following error message as it's not possible to create a Service Account key:

...
? For which GitHub repository would you like to set up a GitHub workflow? (format: user/repository) octocat/repo

Error: HTTP Error: 400, Key creation is not allowed on this service account.

[google-oss-bot]

This issue does not seem to follow the issue template. Make sure you provide all the required information.

[hugo2410]

I have the same issue, I had setup the github actions workflow in the past, I removed in an "unclean" manner. I have since tried to reset it but I always get
Error: HTTP Error: 400, Precondition check failed.
I have removed the old secrets and service account but it still fails.
Any way to set it up cleanly ?

[serpro69]

Hi,
It's been 2 years since this was opened. Wondering if there's any progress on this.
What is the current workaround to make this work if we have constraints/iam.disableServiceAccountKeyCreation enabled?

[samaraiza]

Setting up a firebase project for my first time. I'm getting the following:

? For which GitHub repository would you like to set up a GitHub workflow? (format: user/repository) <github-user>/<repo-name>

Error: HTTP Error: 400, Key creation is not allowed on this service account.

Looks like something is preventing a key creation of some type? Is this due to my own repo config? How do I resolve this?

[samaraiza]

I wasted hours looking into org policies, then not having permissions to modify policies, and figuring out how to assign mysel permissions to edit policies to disable key protection because this init setup seems to be trying to create one and i'm trying to find the path of least resistance here...I thought firebase was supposed to make all of this easier. what a pain in the ass. going back to heroku.

[serpro69]

@samaraiza , you need to allow creating JSON key for service accounts (this is not allowed by default, hence needs to be overwritten). The org policy constraint is constraints/iam.disableServiceAccountKeyCreation, override that in the org (not recommended usually), or in the project itself, and you'll be fine.
But to be honest, the github workflow option doesn't do much, you might as well just look at the example code in FirebaseExtended/action-hosting-deploy.

[IchordeDionysos]

You can also manually setup the GitHub action with the steps documented here:
FirebaseExtended/action-hosting-deploy#349

Unfortunately that PR is not yet merged ...