How to use the GOOGLE_APPLICATION_CREDENTIALS in an Azure Pipeline to publish on firebase?

Question

I've a git repository on our Azure Devop. I publish the application on firebase everytime it is published on master.

Here is my current YML:

trigger:
- master

pool:   vmImage: ubuntu-latest

steps:
- task: NodeTool@0   inputs:
    versionSpec: '14.x'   displayName: 'Install Node.js'
- task: CmdLine@2   inputs:
    script: 'npm install -g firebase-tools'
    workingDirectory: '$(Agent.ToolsDirectory)'   displayName: 'install firebase tools'

- script: |
    npm install
    npm run build   displayName: 'npm install and build'

- script: |
    cd functions
    npm install   displayName: 'install functions dependencies'
- task: CmdLine@2   inputs:
    script: 'firebase deploy --token "$(FIREBASE_TOKEN)" -m "$(Build.BuildNumber)"'   displayName: 'firebase publish -m "$(Build.BuildNumber)"'

I recently noticed the following warning in my jobs:

! Authenticating with a login:ci token is deprecated and will be removed in a future major version of firebase-tools. Instead, use a service account key with GOOGLE_APPLICATION_CREDENTIALS: https://cloud.google.com/docs/authentication/getting-started

The article is not quite clear, it talks more about how to access stuff within code, not directly with firebase deploy. After some search I was able to find multiple example with a JSON file.

But in my case, with a git repository and a pipeline, I'm not sure how to proceed:

1. I don't want to store in the git repository a file with the credentials, it has to be some kind of secret stored in azure devop.
2. Azure Devop doesn't allow me to store file, only string

So, if I've generated this json, how can I use it? Or is there another method?

Answer 1

Here is what you need to do.

You go to your Firebase console, open the project you want, and then do the following steps

1. Click on the engine icon on the sidebar
2. Click "Project settings" link.
3. Click the "Service accounts" tab.
4. Click the "Generate new private key" button to download a JSON file containing the service account credentials.

p.s.: Here is a image showing where each step is located. Sorry for the image in Portuguese , I'm from Brazil.

Then you will create a variable named GOOGLE_APPLICATION_CREDENTIALS in your Azure DevOps pipeline with the content of the json file you just downloaded. Just like the images bellow.

And the last step is to include the deploy step in your pipeline. It will look like these:

- script: |
    echo $GOOGLE_APPLICATION_CREDENTIALS > $HOME/gcloud.json
    export GOOGLE_APPLICATION_CREDENTIALS=$HOME/gcloud.json
    firebase deploy --only hosting
  displayName: 'Deploy to Firebase Hosting'

Assuming that your project is correctly set up with the .firebaserc and firebase.json files, everything should work just fine.

p.s.: Remember to mark the Keep this value secret checkbox in your Azure DevOps variable after everything is set up, to leaving public your admin privates keys from the json file.

Answer 2

in addition to previous comment, you may also put .json file generated at google cloud console to Secure Files at Azure Devops library, then just use step to download secure file

Step: download secure file

Then just use cmd script:

export GOOGLE_APPLICATION_CREDENTIALS=$(Agent.TempDirectory)/<your_sec_file_name>.json