Reputation: 3479
Which service account is used when running Firebase Cloud Functions?
I'm trying to create a schedule Cloud Function exporting my Firestore database to create backups. The code is running fine when serving on my local machine (which uses my personal user account with owner role) but failes once deployed. I already found out that I need to add the 'Storage Admin' and 'Datastore Import Export Admin' to the service account used when running the cloud function, but I can't figure out which service account is used for the functions.
Does anyone know which service account is used?
Upvotes: 21
Views: 11031
Answers (5)
Reputation: 3479
Firebase Cloud Functions may use as App Engine default service account:
- v1 functions:
{project-id}@appspot.gserviceaccount.com - v2 functions:
[email protected]
Roles and permissions added to those services accounts carry over to the Cloud Functions runtime.
Details on default firebase accounts is documented in Firebase Service Account Overview.
Good to know: When using Google Cloud Functions, the service account being used while running the function can be defined when deploying the function.
Upvotes: 37
Reputation: 1004
Just to improve on @slushy answer, you can specify the service account you want to use in your 2nd generation cloud functions with setGlobalOptions:
// index.ts
import { onRequest } from "firebase-functions/v2/https";
import { initializeApp } from "firebase-admin/app";
import { setGlobalOptions } from "firebase-functions/v2";
initializeApp({ });
setGlobalOptions({
serviceAccount: "chosen-service-account@PROJECT_ID.iam.gserviceaccount.com",
});
exports.myCustomFunction = onRequest(
{ cors: true },
async (req: Request, res: Response) => {
// Operations through the Admin SDK will be using the specified service account
})
This allows you to target a more restrictive service account regarding account permissions, therefore improving your app security.
Check out more on firebase service accounts and the related google cloud permissions.
Upvotes: 0
Reputation: 12395
As of 2024, Firebase Cloud Functions are now v2 by default and my guess is that v1 will be phased out relatively soon. All v2 cloud functions are deployed to Cloud Run in Google Cloud (GC) and Cloud Functions will serve merely as an abstraction layer. Therefore, get used to Cloud Run because that is where configuration will take place.
The default service account for these functions is the default Compute Engine service account. However, this can be changed either through Cloud Run in the GC console or in the cloud function's source code.
To change it in GC, navigate to Cloud Run, select the function, select the option to edit and deploy new revision, navigate to security, and change the service account there. You can only do this, of course, if you've already deployed this function.
To change it in source code, you can specify the service account at the global level with a GlobalOptions object. Here I have set the function to use the Firebase Admin SDK service account, which comes by default with all Firebase projects. I think this is the most appropriate service account to use here, but you can create your own service account and use that instead, naturally.
setGlobalOptions({
serviceAccount: "firebase-adminsdk-abcxyz@some-project-abc123.iam.gserviceaccount.com",
});
Note that you are also advised to initialize the app with a service account, which you can do with the Credential object:
const {initializeApp, cert} = require("firebase-admin/app");
initializeApp({
credential: cert("./service-account-credentials.json"),
});
This initialization is pointing to a JSON file in the "functions" folder. This JSON file is a highly-sensitive file that you can only download once in GC for each service account. You may not want to store it in the functions folder because of its sensitivity and you most likely won't want to push it to remote repos, especially if they are public. GC claims they may revoke the private key in this JSON file if they detect it in publicly-accessible repos.
Upvotes: 1
Reputation: 490
Here is a link to the documentation about cloud function's identity: https://cloud.google.com/functions/docs/securing/function-identity
Cloud Functions (1st gen) uses the App Engine default service account,
[email protected].Cloud Functions (2nd gen) uses the default compute service account,
[email protected].Note that the project number is distinct from the project ID and project name. You can find your project number on the Google Cloud console Dashboard page.
Upvotes: 7
Reputation: 106
You can specify a custom service account with the runWith() method if you prefer not to use the default one nowadays. It accepts a number of RuntimeOptions that can be defined.
Upvotes: 5
Related Questions
- Deploy firebase cloud functions - Invalid function service account
- Can you see the service account that triggers a cloud function?
- Previous GCP service account being used when deploying Firebase Functions despite passing updated service account info to admin.initializeApp
- Firebase cloud function admin
- Firebase tools: login as service account
- cannot find service account in firebase functions admin sdk
- Using firebase-admin. What are service account credentials used for?
- Firebase Cloud Functions - Setting up a service account
- Reference path for service account key
- How to create service account for firebase to use with firebase functions