[REQUIRED] Environment details

• OS: macOS
• Node.js version: v20.15.1
• firebase-tools version: 13.11.3

[REQUIRED] Test case

When attempting to deploy Cloud Functions to a staging project in a multi-project setup, the Firebase CLI fails with the following error:

Error: We failed to modify the IAM policy for the project. The functions deployment requires specific roles to be granted to service agents, otherwise the deployment will fail.

i functions: You can either re-run this command as a project owner or manually run the following set of gcloud commands:
i functions: gcloud projects add-iam-policy-binding engage-flow-staging --member=serviceAccount: --role=roles/monitoring.metricWriter
i functions: gcloud projects add-iam-policy-binding engage-flow-staging --member=serviceAccount: --role=roles/cloudtrace.agent
i functions: gcloud projects add-iam-policy-binding engage-flow-staging --member=serviceAccount: --role=roles/logging.logWriter

This error occurs because the Firebase CLI is unable to correctly identify the service account required for deployment, and is instead attempting to modify the IAM policy with an invalid, empty service account.

[REQUIRED] Steps to reproduce

1. Create a multi-project setup with a default and dev alias in .firebaserc.
2. Attempt to deploy Cloud Functions to the dev project using firebase deploy --only functions --project dev.

[REQUIRED] Expected behavior

The Firebase CLI should correctly identify the service account and deploy the functions successfully.

[REQUIRED] Actual behavior

The Firebase CLI fails with an "Invalid service account" error.

Troubleshooting Steps Taken

1. Enabled all necessary APIs: We have enabled the compute.googleapis.com, cloudfunctions.googleapis.com, cloudbuild.googleapis.com, artifactregistry.googleapis.com, cloudscheduler.googleapis.com, run.googleapis.com, eventarc.googleapis.com, pubsub.googleapis.com, storage.googleapis.com, and secretmanager.googleapis.com APIs.
2. Manually granted all required IAM roles: We have manually granted the roles/monitoring.metricWriter, roles/cloudtrace.agent, and roles/logging.logWriter roles to the 315566886877-compute@developer.gserviceaccount.com and service-315566886877@serverless-robot-prod.iam.gserviceaccount.com service accounts.
3. Updated firebase-tools: We have updated firebase-tools to the latest version.
4. Corrected the .firebaserc file: We have corrected the .firebaserc file to properly distinguish between the default and dev projects.
5. Attempted to force the use of a specific service account: We have attempted to force the use of a specific service account by setting the GOOGLE_APPLICATION_CREDENTIALS environment variable.

Despite these efforts, the deployment continues to fail with the same error. This strongly suggests a bug in the Firebase CLI itself.