CODEWITHSUNDEEP
firebaseauthenticationgoogle-cloud-platformjwt
Ian
Ian

Reputation: 187

Unable to sign JWT when using serviceAccountId

We've switched from service account keys to serviceAccountIds (or tried to) so we can clean up all the rouge keys we have. After rolling out the change we're seeing:

Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/-/serviceAccounts/[email protected].; Please refer to https://firebase.google.com/docs/auth/admin/create-custom-tokens for more details on how to use and troubleshoot this feature....}}

The thing is, we've definitely got the correct role applied (see attachment). We've even tried a few more for good measure.

Thanks!

enter image description here

Upvotes: 9

Views: 2658

Answers (1)

Hiranya Jayathilaka
Hiranya Jayathilaka

Reputation: 7438

There are two service accounts being used in this case:

  1. The service account used to authorize RPC calls (in case of Cloud Functions, this is the App Engine default service account).
  2. The service account you have specified as the serviceAccountId.

It seems IAM only works when BOTH service accounts have the signBlob permission. I have inquired the GCP/IAM team about this. In the meantime, here are couple of fixes you can try immediately:

  • Grant the token creator role to the App Engine default service account of your project.
  • Once you do that, you don't have to specify a serviceAccountId at all. The SDK will auto-discover that same service account ID when running in Functions.

Upvotes: 11

Related Questions