Add user-friendly error message for missing delegation iam permission when specifying a custom service account (#6804)

* add error

* update error

Author: tonyjhuang

src/init/features/apphosting/index.ts

@@ -192,10 +192,17 @@ export async function createBackend(
   try {
     return await createBackendAndPoll();
   } catch (err: any) {
-    if (err.status === 403 && err.message.includes(defaultServiceAccount)) {
-      // Create the default service account if it doesn't exist and try again.
-      await provisionDefaultComputeServiceAccount(projectId);
-      return await createBackendAndPoll();
+    if (err.status === 403) {
+      if (err.message.includes(defaultServiceAccount)) {
+        // Create the default service account if it doesn't exist and try again.
+        await provisionDefaultComputeServiceAccount(projectId);
+        return await createBackendAndPoll();
+      } else if (serviceAccount && err.message.includes(serviceAccount)) {
+        throw new FirebaseError(
+          `Failed to create backend due to missing delegation permissions for ${serviceAccount}. Make sure you have the iam.serviceAccounts.actAs permission.`,
+          { children: [err] },
+        );
+      }
     }
     throw err;
   }

src/test/init/apphosting/index.spec.ts

@@ -138,7 +138,10 @@ describe("operationsConverter", () => {
           cloudBuildConnRepo,
           /* serviceAccount= */ "my-service-account",
         ),
-      ).to.be.rejectedWith(FirebaseError, "missing actAs permission on my-service-account");
+      ).to.be.rejectedWith(
+        FirebaseError,
+        "Failed to create backend due to missing delegation permissions for my-service-account. Make sure you have the iam.serviceAccounts.actAs permission.",
+      );
 
       expect(createBackendStub).to.be.calledOnce;
       expect(createServiceAccountStub).to.not.have.been.called;