[v13.0.0 Blocker] GetStorageDefaultBucket through Storage API

[joehan]

We currently get the Default Storage Bucket by calling a FireData API that will be deprecated soon. We need to switch to using the Storage API for this. This will require some new permissions (included in Storage Bucket Viewer role) - we should also document these and ensure that when they are missing we error cleanly.

[tcf909]

The change was rolled out before the ACL was actually made public (breaking deployments):

[joehan]

@tcf909 Just double checked the source and it seems like the permission has been in prod but is not publicly visible yet. I reached out to the responsible team to get this fixed - however, in the meantime, firebasestorage.admin and firebasestorage.viewer definitely both include "firebasestorage.defaultBucket.get" and shoudl unblock any deployment issues

[tcf909]

@joehan thank you got the response. I will have the team add those temporarily. We had to roll back to 12.x.x latest to keep the pipeline operating today.

Any thoughts on how that permission might be "available" but not visible in our cloud console?

[joehan]

@tcf909 When we add new permissions, we usually make them hidden except to an allowlist list at first, which hides them from public surfaces and lets us test them out before we launch. However, these hidden permissions are still 'there' - they can still be included in publicly available roles.

In this case, the permissions were added to all the right roles, but we forgot to remove the visibility flag. We removed that flag yesterday afternoon - unfortunately, for production safety reasons, IAM rollouts take a few days. We're tracking this issue here #6593 and will update/close that once they are fully publicly available.

[tcf909]

@joehan thank you for the update.