Skip to content

Edit production guide to match requirements for IAM. #102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Edit production guide to match requirements for IAM. #102

wants to merge 1 commit into from

Conversation

apognu
Copy link
Contributor

@apognu apognu commented May 27, 2025

I'll add inline comments to rationalize my changes.

@apognu apognu self-assigned this May 27, 2025
@apognu apognu added documentation Improvements or additions to documentation enhancement New feature or request labels May 27, 2025
apognu
apognu commented May 27, 2025
View reviewed changes
installation/production_run.md

This service account **must** have the following roles or permissions:

- Role: `Storage Object User` on the configured buckets to store and retrieve blobs
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume that this is enough, but I would like to check before we commit to it.

apognu
apognu commented May 27, 2025
View reviewed changes
installation/production_run.md
2. **Configure Authentication**

- Enable Firebase Authentication
- Go to Project overview → project settings → Service Accounts → Generate new private key
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do not need the Firebase admin private key. It is actually against best practice to do it that way, so this goes.

@apognu apognu force-pushed the feat/gcp-iam-config branch from 2c9d31e to f684a95 Compare May 27, 2025 12:23
apognu
apognu commented May 27, 2025
View reviewed changes
installation/production_run.md
2. **API URL Configuration**

- Frontend needs two API URLs configured:
- `MARBLE_API_URL_CLIENT`: URL for browser requests (public URL)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am preparing the path the when the whole /config PR will be merged. At that point, technically, the frontend will only require:

  • ENV
  • NODE_ENV
  • MARBLE_API_URL_SERVER
  • SESSION_SECRET
  • + anything that is secret

apognu
apognu commented May 27, 2025
View reviewed changes
installation/production_run.md
- Service account:
- Check that the detected Google Cloud project and service account match your environment

- ⚠️ Backend service will fail to start without accessible Firebase service account key
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, this assumed the Firebase admin SA.

apognu
apognu commented May 27, 2025
View reviewed changes
installation/production_run.md
- `FIREBASE_AUTH_DOMAIN`: Auth domain from Firebase settings
- `FIREBASE_APP_ID`: Application ID from Firebase Console
- If you plan on using Single-Sign On (SSO) with Firebase (to delegate authentication to another Identity Provider), you will need to configure the following directives:
- `FIREBASE_AUTH_DOMAIN`: Auth domain from Firebase settings
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removes app ID, which is not required at all, and moved the auth domain as optional, since it's only used for SSO.

@apognu apognu force-pushed the feat/gcp-iam-config branch from f684a95 to c0a169a Compare June 30, 2025 10:05
@apognu apognu force-pushed the feat/gcp-iam-config branch from c0a169a to 32b0710 Compare June 30, 2025 12:13
@Pascal-Delange
Copy link
Contributor

@apognu ok time to take this PR out of the dustbin.
I propose that in the upcoming release we only add a disclaimer in the release note that the service account used by the backend MUST now have the permission to create firebase users (typically Firebase Auth Admin), and we'll finish the full update of "how to configure" in the next release with the changes to MARBLE_APP_URL in the frontend, etc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@apognu apognu

Labels
documentation Improvements or additions to documentation enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@apognu @Pascal-Delange