firebase · falahat · Mar 25, 2026 · Nov 22, 2025 · Dec 2, 2025 · Dec 2, 2025
diff --git a/src/deploy/apphosting/prepare.spec.ts b/src/deploy/apphosting/prepare.spec.ts
@@ -8,9 +8,12 @@ import * as devconnect from "../../gcp/devConnect";
 import * as prompt from "../../prompt";
 import { RC } from "../../rc";
 import { Context } from "./args";
+import { FirebaseError } from "../../error";
 import prepare, { getBackendConfigs } from "./prepare";
 import * as localbuilds from "../../apphosting/localbuilds";
 import * as experiments from "../../experiments";
+import * as getProjectNumber from "../../getProjectNumber";
+import * as resourceManager from "../../gcp/resourceManager";
 
 const BASE_OPTS = {
   cwd: "/",
@@ -51,6 +54,8 @@ describe("apphosting", () => {
   let doSetupSourceDeployStub: sinon.SinonStub;
   let listBackendsStub: sinon.SinonStub;
   let getGitRepositoryLinkStub: sinon.SinonStub;
+  let assertEnabledStub: sinon.SinonStub;
+  let addServiceAccountToRolesStub: sinon.SinonStub;
 
   beforeEach(() => {
     sinon.stub(opts.config, "writeProjectFile").returns();
@@ -67,6 +72,12 @@ describe("apphosting", () => {
     getGitRepositoryLinkStub = sinon
       .stub(devconnect, "getGitRepositoryLink")
       .throws("Unexpected getGitRepositoryLink call");
+    assertEnabledStub = sinon.stub(experiments, "assertEnabled").returns();
+    sinon.stub(experiments, "isEnabled").returns(true);
+    sinon.stub(getProjectNumber, "getProjectNumber").resolves("123456789");
+    addServiceAccountToRolesStub = sinon
+      .stub(resourceManager, "addServiceAccountToRoles")
+      .resolves();
   });
 
   afterEach(() => {
@@ -102,7 +113,6 @@ describe("apphosting", () => {
         buildConfig,
         annotations,
       });
-      sinon.stub(experiments, "assertEnabled").returns();
       listBackendsStub.onFirstCall().resolves({
         backends: [
           {
@@ -125,6 +135,12 @@ describe("apphosting", () => {
         buildConfig,
         annotations,
       });
+      expect(addServiceAccountToRolesStub).to.have.been.calledWith(
+        "my-project",
+        apphosting.serviceAgentEmail("123456789"),
+        ["roles/storage.objectViewer"],
+        true,
+      );
     });
 
     it("should fail if localBuild is specified but experiment is disabled", async () => {
@@ -141,9 +157,7 @@ describe("apphosting", () => {
       };
       const context = initializeContext();
 
-      sinon
-        .stub(experiments, "assertEnabled")
-        .throws(new Error("Experiment 'apphostinglocalbuilds' is not enabled."));
+      assertEnabledStub.throws(new Error("Experiment 'apphostinglocalbuilds' is not enabled."));
       listBackendsStub.onFirstCall().resolves({
         backends: [
           {
@@ -266,6 +280,59 @@ describe("apphosting", () => {
       });
       expect(context.backendLocalBuilds["foo"]).to.undefined;
     });
+
+    it("throws an error for localBuild when experiment is not enabled", async () => {
+      const optsWithLocalBuild = {
+        ...opts,
+        config: new Config({
+          apphosting: {
+            backendId: "foo",
+            rootDir: "/",
+            ignore: [],
+            localBuild: true,
+          },
+        }),
+      };
+
+      (experiments.isEnabled as sinon.SinonStub).withArgs("apphostinglocalbuilds").returns(false);
+      assertEnabledStub.throws(
+        new FirebaseError(
+          "Cannot perform a local build because the experiment apphostinglocalbuilds is not enabled.",
+        ),
+      );
+
+      const context = initializeContext();
+      listBackendsStub.resolves({
+        backends: [
+          {
+            name: "projects/my-project/locations/us-central1/backends/foo",
+          },
+        ],
+      });
+
+      await expect(prepare(context, optsWithLocalBuild)).to.be.rejectedWith(
+        FirebaseError,
+        "Cannot perform a local build",
+      );
+      expect(addServiceAccountToRolesStub).to.not.have.been.called;
+    });
+
+    it("should succeed for source deploys even if experiment is disabled", async () => {
+      const context = initializeContext();
+      listBackendsStub.resolves({
+        backends: [
+          {
+            name: "projects/my-project/locations/us-central1/backends/foo",
+          },
+        ],
+      });
+
+      // No localBuild: true in config
+      (experiments.isEnabled as sinon.SinonStub).withArgs("apphostinglocalbuilds").returns(false);
+      await prepare(context, opts);
+
+      expect(assertEnabledStub).to.not.have.been.calledWith("apphostinglocalbuilds");
+    });
   });
 
   describe("getBackendConfigs", () => {

diff --git a/src/deploy/apphosting/prepare.ts b/src/deploy/apphosting/prepare.ts
@@ -5,16 +5,25 @@ import {
   ensureRequiredApisEnabled,
 } from "../../apphosting/backend";
 import { AppHostingMultiple, AppHostingSingle } from "../../firebaseConfig";
-import { ensureApiEnabled, listBackends, parseBackendName } from "../../gcp/apphosting";
+import {
+  ensureApiEnabled,
+  listBackends,
+  parseBackendName,
+  serviceAgentEmail,
+} from "../../gcp/apphosting";
 import { getGitRepositoryLink, parseGitRepositoryLinkName } from "../../gcp/devConnect";
+import { addServiceAccountToRoles } from "../../gcp/resourceManager";
+
 import { Options } from "../../options";
 import { needProjectId } from "../../projectUtils";
+import { getProjectNumber } from "../../getProjectNumber";
 import { checkbox, confirm } from "../../prompt";
 import { logLabeledBullet, logLabeledWarning } from "../../utils";
 import { localBuild } from "../../apphosting/localbuilds";
-import * as experiments from "../../experiments";
 import { Context } from "./args";
 import { FirebaseError } from "../../error";
+import * as experiments from "../../experiments";
+import { logger } from "../../logger";
 
 /**
  * Prepare backend targets to deploy from source. Checks that all required APIs are enabled,
@@ -32,6 +41,11 @@ export default async function (context: Context, options: Options): Promise<void
   context.backendLocalBuilds = {};
 
   const configs = getBackendConfigs(options);
+  if (configs.some((cfg) => cfg.localBuild) && experiments.isEnabled("apphostinglocalbuilds")) {
+    const projectNumber = await getProjectNumber(options);
+    await ensureAppHostingServiceAgentRoles(projectId, projectNumber);
+  }
+
   const { backends } = await listBackends(projectId, "-");
 
   const foundBackends: AppHostingSingle[] = [];
@@ -212,3 +226,28 @@ export function getBackendConfigs(options: Options): AppHostingMultiple {
   }
   return backendConfigs.filter((cfg) => backendIds.includes(cfg.backendId));
 }
+
+/**
+ * Ensures that the App Hosting service agent has the necessary roles to access
+ * project resources (e.g. storage) for a given project.
+ */
+async function ensureAppHostingServiceAgentRoles(
+  projectId: string,
+  projectNumber: string,
+): Promise<void> {
+  const p4saEmail = serviceAgentEmail(projectNumber);
+  try {
+    await addServiceAccountToRoles(
+      projectId,
+      p4saEmail,
+      ["roles/storage.objectViewer"],
+      /* skipAccountLookup= */ true,
+    );
+  } catch (err: unknown) {
+    logger.debug(`Failed to grant storage.objectViewer to ${p4saEmail}: ${String(err)}`);
+    logLabeledWarning(
+      "apphosting",
+      `Unable to verify App Hosting service agent permissions for ${p4saEmail}. If you encounter a PERMISSION_DENIED error during rollout, please ensure the service agent has the "Storage Object Viewer" role.`,
+    );
+  }
+}