Does Firebase Admin SDK deployed at Cloud Run require GOOGLE_CLOUD_PROJECT env var?

Question

We've deployed a service to Cloud Run which uses Firebase Admin SDK. This service uses multiple auth-related methods. We've found out that if we do not include the GOOGLE_CLOUD_PROJECT env var, the method setCustomUserClaims(...) throws following error: Failed to determine project ID for Auth. Initialize the SDK with service account credentials or set project ID as an app option. Alternatively set the GOOGLE_CLOUD_PROJECT environment variable.

However, we've also checked that if the env var is not present, other methods, such as createCustomToken(...) work just fine. How is this possible? Should we use GOOGLE_CLOUD_PROJECT or not?

Answer 1

createCustomToken mints and signs its authentication tokens within the SDK.

This is in contrast to setCustomUserClaims that has to make network calls to do its job, mainly to the endpoint:

https://identitytoolkit.googleapis.com/{version}/projects/{projectId}/accounts:update

As this endpoint uses the Project ID, it needs to be provided from somewhere.

As of the time of writing, it looks for it in these locations, in the following order:

1. options.projectId from initializeApp() (this is normally filled in by process.env.FIREBASE_CONFIG)
2. options.credential.projectId from initializeApp(), if the credential is a ServiceAccountCredential
3. process.env.GOOGLE_CLOUD_PROJECT
4. process.env.GCLOUD_PROJECT
5. options.credential.getProjectId() from initializeApp(), if the credential is a ComputeEngineCredential