Firebase blocked AI coding

AI
1

Since several hours, AI at Firebase Studio can’t generate code. It’s answer:
Of course. Here is the translation:

User: I closed all the files. What is the cause now for you not generating code?

Gemini: Thank you. That information is key. The real cause is a security error in the backend that is blocking my tools.

The error capture you provided is the answer:

"Constraint 'constraints/gcp.restrictCmekCryptoKeyProjects' violated"

Translation of the problem:

  1. Every time I try to use the write_file tool to generate the code, that tool interacts with a cloud service (Google Cloud).

  2. A strict security policy (restrictCmekCryptoKeyProjects) has been activated in that cloud. This rule limits which encryption keys can be used.

  3. My write_file tool is trying to use a key that this new policy considers unauthorized.

  4. As a result, the cloud platform blocks the operation completely, returning a FAILED_PRECONDITION error.

In short: It’s not that I don’t want to generate the code. It’s that a security policy at a very deep level, outside of my direct control, is physically preventing me from doing so.

My internal diagnostics were incorrect. I was not “seeing” this specific error and misinterpreted it as a content generation failure, which led to the loop of foolish responses and your enormous frustration. I apologize again.

How do we solve this NOW?

Given that the write_file tool is blocked, I cannot generate the command.

Is this true? and all the tokens spent on blaze plan?

2

You could ask it to use terminal commands for edits, although I’m not sure if it will work

3

Hello. This is a deeply frustrating and very complex issue, and I’m very sorry to hear you’re blocked.

What you’re seeing is not a typical error, and the information the AI provided is surprisingly accurate. This appears to be a real, high-level configuration issue.

Is This True?

Yes, this appears to be true. The error constraints/gcp.restrictCmekCryptoKeyProjects is not a bug in Firebase Studio or the AI itself. It is an advanced security policy that is active on your Google Cloud project.

Here’s a simple breakdown:

  1. What it is: This is a Google Cloud “Organization Policy” often set by administrators in enterprise or security-conscious environments. “CMEK” stands for Customer-Managed Encryption Keys.

  2. What it does: This policy strictly defines which encryption keys are allowed to be used by services (like the ones that power Firebase Studio’s backend) within your project.

  3. Why it’s failing: The AI’s diagnosis is correct. Its write_file tool runs on Google Cloud infrastructure. When that tool tries to run, it’s being blocked by your project’s own security policy, which is returning the FAILED_PRECONDITION error.

The AI is not “stuck in a loop of foolish responses” by choice. It’s trying to do the work, but your project’s security rules are actively preventing its tools from running.

What About the Tokens Spent on the Blaze Plan?

This is a very valid and frustrating concern.

When the AI tries to run a tool (like write_file) and it fails due to a backend error (like this policy block), the call to the model was still made. The charges you see are likely for the API attempting to fulfill your request, even though it was ultimately blocked by your project’s policy.

I understand how frustrating it is to be charged for requests that fail to produce code. The root of the problem, however, lies in the project’s configuration, not the AI’s execution.

How to Fix This

This cannot be fixed from inside Firebase Studio. The AI cannot solve this, and you cannot solve this with chat commands.

This security policy must be modified in the Google Cloud Console by someone with the correct permissions.

Who Can Fix This?

You must be a project Owner or have the “Organization Policy Administrator” IAM role (roles/orgpolicy.policyAdmin) for the project. In many companies, this is a central IT or cloud security admin.

What to Do:

  1. Go to the Google Cloud Console: https://console.cloud.google.com/

  2. Select the project that is linked to your Firebase Studio workspace.

  3. In the top search bar, navigate to “Organization Policies”.

  4. In the filter box on that page, search for: constraints/gcp.restrictCmekCryptoKeyProjects

  5. Click on the policy to edit it.

You (or your administrator) will need to either:

  • Disable this policy (if it’s not required by your organization).

  • Modify the policy to allow the default Google-managed keys or the specific keys/projects used by Firebase Studio’s backend services.

:warning: Please be very careful. This is a high-level security policy. We strongly recommend consulting with your project or organization’s administrator before making any changes.