Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permission 'iam.serviceAccounts.signBlob' denied on resource, when initializing an App with Service Account ID from another Firebase project #2713

Open
ruslan-simonenko opened this issue Sep 25, 2024 · 0 comments
Open

Permission 'iam.serviceAccounts.signBlob' denied on resource, when initializing an App with Service Account ID from another Firebase project #2713

ruslan-simonenko opened this issue Sep 25, 2024 · 0 comments
Labels
api: auth

Comments

@ruslan-simonenko
Copy link

ruslan-simonenko commented Sep 25, 2024
edited
Loading

[READ] Step 1: Are you in the right place?

Yes

[REQUIRED] Step 2: Describe your environment

  • Operating System version: Google Cloud environment
  • Firebase SDK version: 11.11.1
  • Firebase Product: auth
  • Node.js version: 18
  • NPM version: 10.2.3

[REQUIRED] Step 3: Describe the problem

The documentation for custom token creation implies that one can init an app using service account ID, and create a token with it:
https://firebase.google.com/docs/auth/admin/create-custom-tokens#using_a_service_account_id

This does not seem to be the case for multi-project setup. The troubleshoot guide is unfortunately unhelpful. And error message that Auth module provides is counter-productive as it says that service account has a permission issue, which it does not.

This problem was previously mentioned in #1410.

Steps to reproduce:

Goal: create a token for Project A from Project B's function.

  1. Create two Firebase Projects A & B.
  2. Create service account "Token Creator" in Project A.
  3. Grant it "Service Account Token Creator" permission.
  4. Create Firebase callable Function (v2) that creates JWT token:
  5. Call this function from Project B.

Expected: token is created
Actual:

Unhandled error FirebaseAuthError: Permission 'iam.serviceAccounts.signBlob' denied on resource (or it may not exist).; Please refer to https://firebase.google.com/docs/auth/admin/create-custom-tokens for more details on how to use and troubleshoot this feature.

This error is hard to debug, as one would assume that something is wrong with the way Service Account is set up. However the reality is that the issue lies with how the App is initialized - it must be initialized with Service Account Private Key, not ID.

It would have saved me a few hours if the library threw an error during App initialization: "This service account must be initialized with a private key, as it belongs to a different Firebase project", or if at least the troubleshoot guide described this caveat.

Relevant Code:

import { onCall } from 'firebase-functions/v2/https';
import { auth, initializeApp } from 'firebase-admin';

const serviceAccount: ServiceAccount = {
  projectId: 'b',
  clientEmail: 'token-creator@project-a.iam.gserviceaccount.com',
  privateKey: '...'
}

export const createJWT = onCall(async () => {
  // const app = initializeApp(
  //   { serviceAccountId: { credential: credential.cert(serviceAccount) } },
  //   'a',
  // ); // << works
  const app = initializeApp(
    { serviceAccountId: 'token-creator@project-a.iam.gserviceaccount.com' },
    'a',
  ); // << does not work, but fails on the next line
  const token = await auth(app).createCustomToken('test');
  return { token };
});
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
api: auth
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ruslan-simonenko @google-oss-bot