You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This does not seem to be the case for multi-project setup. The troubleshoot guide is unfortunately unhelpful. And error message that Auth module provides is counter-productive as it says that service account has a permission issue, which it does not.
Goal: create a token for Project A from Project B's function.
Create two Firebase Projects A & B.
Create service account "Token Creator" in Project A.
Grant it "Service Account Token Creator" permission.
Create Firebase callable Function (v2) that creates JWT token:
Call this function from Project B.
Expected: token is created
Actual:
Unhandled error FirebaseAuthError: Permission 'iam.serviceAccounts.signBlob' denied on resource (or it may not exist).; Please refer to https://firebase.google.com/docs/auth/admin/create-custom-tokens for more details on how to use and troubleshoot this feature.
This error is hard to debug, as one would assume that something is wrong with the way Service Account is set up. However the reality is that the issue lies with how the App is initialized - it must be initialized with Service Account Private Key, not ID.
It would have saved me a few hours if the library threw an error during App initialization: "This service account must be initialized with a private key, as it belongs to a different Firebase project", or if at least the troubleshoot guide described this caveat.
Relevant Code:
import { onCall } from 'firebase-functions/v2/https';
import { auth, initializeApp } from 'firebase-admin';
const serviceAccount: ServiceAccount = {
projectId: 'b',
clientEmail: 'token-creator@project-a.iam.gserviceaccount.com',
privateKey: '...'
}
export const createJWT = onCall(async () => {
// const app = initializeApp(
// { serviceAccountId: { credential: credential.cert(serviceAccount) } },
// 'a',
// ); // << works
const app = initializeApp(
{ serviceAccountId: 'token-creator@project-a.iam.gserviceaccount.com' },
'a',
); // << does not work, but fails on the next line
const token = await auth(app).createCustomToken('test');
return { token };
});
The text was updated successfully, but these errors were encountered:
[READ] Step 1: Are you in the right place?
Yes
[REQUIRED] Step 2: Describe your environment
[REQUIRED] Step 3: Describe the problem
The documentation for custom token creation implies that one can init an app using service account ID, and create a token with it:
https://firebase.google.com/docs/auth/admin/create-custom-tokens#using_a_service_account_id
This does not seem to be the case for multi-project setup. The troubleshoot guide is unfortunately unhelpful. And error message that Auth module provides is counter-productive as it says that service account has a permission issue, which it does not.
This problem was previously mentioned in #1410.
Steps to reproduce:
Goal: create a token for Project A from Project B's function.
Expected: token is created
Actual:
This error is hard to debug, as one would assume that something is wrong with the way Service Account is set up. However the reality is that the issue lies with how the App is initialized - it must be initialized with Service Account Private Key, not ID.
It would have saved me a few hours if the library threw an error during App initialization: "This service account must be initialized with a private key, as it belongs to a different Firebase project", or if at least the troubleshoot guide described this caveat.
Relevant Code:
The text was updated successfully, but these errors were encountered: