canEnableServices method

Future<bool> canEnableServices({ String api = 'serviceusage.googleapis.com', String? account, })

Probe whether a gcloud principal has the serviceusage.services.enable permission on projectId by trying to enable a single API. Defaults to serviceusage.googleapis.com because that API is auto-enabled on every project at creation, so the call is effectively a no-op when the principal does have the permission.

When account is provided, the call passes --account=<email> so the probe tests that specific credentialed principal regardless of which one is currently active. This is how the IAM gate verifies that the service account actually received the freshly-granted role bindings, instead of accidentally testing whichever user account was selected to run add-iam-policy-binding.

Returns:

• true → enable succeeded (principal can enable services)
• false → PERMISSION_DENIED or any other error

Used as the verify-step of the IAM gate: we run this once before prompting (to skip the gate when roles are already granted) and once after the user confirms the grant (to make sure the binding actually took effect before continuing the wizard).

Implementation

Future<bool> canEnableServices({
  String api = 'serviceusage.googleapis.com',
  String? account,
}) async {
  final String? projectId = config.firebaseProjectId;
  if (projectId == null) return false;
  final List<String> args = <String>[
    'services',
    'enable',
    api,
    '--project',
    projectId,
    if (account != null && account.trim().isNotEmpty)
      '--account=${account.trim()}',
  ];
  final ProcessResult r = await _runner.run(
    'gcloud',
    args,
    environment: _authEnvironment,
  );
  return r.success;
}