Reputation: 321
Firebase Storage emulator does't support getSignedUrl
I have the line
onst [url] = await blob.getSignedUrl({ action: 'read', expires: Date.now() + 60 * 1000, contentType: mimetype })
When I run my unit-tests with the Firebase storage emulator I got the error:
Could not load the default credentials. Browse to https://cloud.google.com/docs/authentication/getting-started for more information
How can I use getSignedUrl with Firebase emulator?
Upvotes: 0
Views: 966
Answers (1)
Reputation: 1338
When using a blob signed url, use service account credentials instead of the default ADC. Having been said that, you have two options:
- You can create a service account that will use the command using the Cloud SDK:
gcloud iam service-accounts keys create FILE_NAME.json --iam-account=NAME@PROJECT_ID.iam.gserviceaccount.com; which you can use to call Firebase server APIs from your app server or trusted environment. After creating your service account, you must initialize with a service account key file.
Here's an example java code for initializing:
FileInputStream serviceAccount = new FileInputStream("path/to/serviceAccountKey.json");
FirebaseOptions options = FirebaseOptions.builder()
.setCredentials(GoogleCredentials.fromStream(serviceAccount))
.setDatabaseUrl("https://<DATABASE_NAME>.firebaseio.com/")
.build();
FirebaseApp.initializeApp(options);
You can also check the Firebase Service Accounts to help you identify which service account you will use in your project.
- Another option is to set the service account key in an environment variables.
For Linux or macOS: export GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"
Example is: export GOOGLE_APPLICATION_CREDENTIALS="/home/user/Downloads/service-account-file.json"
For Windows (using powershell): $env:GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"
Example is: $env:GOOGLE_APPLICATION_CREDENTIALS="C:\Users\username\Downloads\service-account-file.json"
Just note that this variable only applies to your current shell session, so if you open a new session, set the variable again.
Update:
In Google Cloud Platform environments, such as Cloud Functions and App Engine, you usually don't provide a keyFilename or credentials during instantiation. In those environments, we call the signBlob API to create a signed URL. As was stated here. In that case, the service account used must have Service Account Token Creator Role.
The Service Account Token Creator Role enables impersonation of service accounts to create OAuth2 access tokens, sign blobs, or sign JWTs. Provide your service account when initializing the client. If using default credentials, then make sure that the Cloud Functions service account must have Service Account Token Creator Role, as it is required when calling the signBlob API if the app is deployed within GCP.
You can further check this github issues comment.
Upvotes: 1
Related Questions
- getSignedUrl when using cloud functions
- Firebase Functions and Storage getSignedUrl with Emulators
- Firebase Storage in Emulator: refFromUrl() expected a valid full URL
- Facing issue with signedUrl using @google-cloud/storage in firebase-cloud-functions
- SigningError with Firebase getSignedUrl()
- Firebase SignedURL not equal to download url Storage
- getSignedURL() in Google Cloud Function produces link that works for several days, then returns "SignatureDoesNotMatch"
- Accessing the signed url of firebase storage from browser says " Access denied"
- Firebase Storage signature does not match
- Access Denied when creating signedUrl on Google Storage Object in App engine