Project relative service account specifications doesn't work (Cloud Functions v1)

[segevfiner]

[REQUIRED] Environment info

firebase-tools: 13.27.0

Platform: macOS

[REQUIRED] Test case

import * as functions from 'firebase-functions/v1';

export const hello = functions
  .runWith({ serviceAccount: 'cloud-functions@' })
  .https.onCall(async (data, context) => {
    return "OK";
  }

[REQUIRED] Steps to reproduce

1. Try to deploy this v1 cloud function, when a service account named cloud-functions exists in the project. This fails, despite the code hinting that you can use a project relative service account name that ends with @ in error messages and types.

[REQUIRED] Expected behavior

For this usage to work, so I won't have to figure out the service account domain, which can vary when a project is deployed multiple times.

[REQUIRED] Actual behavior

  '[debug] [2025-02-18T16:25:11.405Z] Functions deploy failed.',
  '[debug] [2025-02-18T16:25:11.405Z] {',
  '  "endpoint": {',
  '    "id": "hello",',
  '    "project": "redacted",',
  '    "region": "us-central1",',
  '    "entryPoint": "hello",',
  '    "platform": "gcfv1",',
  '    "runtime": "nodejs18",',
  '    "callableTrigger": {},',
  '    "labels": {',
  '      "deployment-tool": "cli-firebase"',
  '    },',
  '    "ingressSettings": null,',
  '    "availableMemoryMb": 512,',
  '    "serviceAccount": "cloud-functions@",',
  '    "timeoutSeconds": null,',
  '    "maxInstances": null,',
  '    "minInstances": null,',
  '    "vpc": null,',
  '    "environmentVariables": {',
  '      "SENTRY_DSN": "",',
  '      "FIREBASE_CONFIG": "{\\"projectId\\":\\"redacted\\",\\"storageBucket\\":\\"redacted\\",\\"locationId\\":\\"us-east1\\"}",',
  '      "GCLOUD_PROJECT": "swimm-stag",',
  '      "EVENTARC_CLOUD_EVENT_SOURCE": "projects/redacted/locations/us-central1/functions/hello"',
  '    },',
  '    "codebase": "hello",',
  '    "securityLevel": "SECURE_ALWAYS",',
  '    "targetedByOnly": true,',
  '    "hash": "5d656c61a923adb50667499975cc003388f6f5fa"',
  '  },',
  '  "op": "update",',
  '  "original": {',
  '    "name": "FirebaseError",',
  '    "children": [],',
  '    "context": {',
  '      "function": "projects/redacted/locations/us-central1/functions/hello"',
  '    },',
  '    "exit": 1,',
  '    "message": "Failed to update function projects/redacted/locations/us-central1/functions/hello",',
  '    "original": {',
  '      "name": "FirebaseError",',
  '      "children": [],',
  '      "context": {',
  '        "body": {',
  '          "error": {',
  '            "code": 400,',
  '            "message": "Invalid function service account requested: cloud-functions@. Please visit https://cloud.google.com/functions/docs/troubleshooting for in-depth troubleshooting documentation.",',
  '            "status": "INVALID_ARGUMENT"',
  '          }',
  '        },',
  '        "response": {',
  '          "statusCode": 400',
  '        }',
  '      },',
  '      "exit": 1,',
  '      "message": "Request to https://cloudfunctions.googleapis.com/v1/projects/redacted/locations/us-central1/functions/getRepoCrossSnippets?updateMask=name%2CsourceUploadUrl%2CentryPoint%2Cruntime%2CdockerRegistry%2Clabels%2ChttpsTrigger.securityLevel%2CminInstances%2CmaxInstances%2CingressSettings%2CenvironmentVariables%2CserviceAccountEmail%2CavailableMemoryMb%2Ctimeout%2CvpcConnector%2CvpcConnectorEgressSettings%2CsourceToken%2CbuildEnvironmentVariables had HTTP Error: 400, Invalid function service account requested: cloud-functions@. Please visit https://cloud.google.com/functions/docs/troubleshooting for in-depth troubleshooting documentation.",',
  '      "status": 400',
  '    },',
  '    "status": 400,',
  '    "code": 400',
  '  }',
  '}',
  '[debug] [2025-02-18T16:25:11.579Z] Error: Failed to update function hello in region us-central1',
  '    at .../node_modules/.pnpm/[email protected][email protected][email protected][email protected]/node_modules/firebase-tools/lib/deploy/functions/release/fabricator.js:52:11',
  '    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)',
  '    at async Fabricator.updateV1Function (.../node_modules/.pnpm/[email protected][email protected][email protected][email protected]/node_modules/firebase-tools/lib/deploy/functions/release/fabricator.js:352:32)',
  '    at async Fabricator.updateEndpoint (.../node_modules/.pnpm/[email protected][email protected][email protected][email protected]/node_modules/firebase-tools/lib/deploy/functions/release/fabricator.js:152:13)',
  '    at async handle (.../node_modules/.pnpm/[email protected][email protected][email protected][email protected]/node_modules/firebase-tools/lib/deploy/functions/release/fabricator.js:89:17)',
  '[error] ',
  '[error] Error: There was an error deploying functions'
]

[aalej]

Thanks for the detailed report @segevfiner! I’m able to reproduce the behavior you mentioned. Looking at https://github.com/firebase/firebase-functions/blob/cce55b562f325474a2ea13d7db06392309667990/src/v1/function-builder.ts#L102, it does seem like a {serviceAccountName}@ format is supported.

I’ll mark this issue as reproducible and check this with our engineering team.

edit: attaching mcve - https://github.com/aalej/issues-8227