Reputation: 137
How to properly use a custom service account with Firebase and Google Cloud Platform together
I have a Firebase project set up and working now using a Firebase-generated service account (project settings > service accounts > generate new private key)
In my Firebase code, I initialize with the SA JSON file like so:
import {initializeApp, cert} from 'firebase-admin/app'
initializeApp({
credential: cert(require('../projectname-firebase-adminsdk-XXX-XXX.json')),
storageBucket: 'project.appspot.com',
})
My issue now is arising while trying to implement Firebase enqueue functions using onTaskDispatched with cloud tasks. I've followed the example here. However, the iam permissions they say to give do not work as expected. First it gave me an error saying I needed the cloudtasks.tasks.create principal. So, I added the cloud tasks enqueuer role to the Firebase SA. Once that propagated it now says I need iam.serviceAccounts.actAs. This is where I am stumped. I can't figure out how to assign that principal.
Along with this, I have found a lot of mixed reviews on whether or not I should even be using a separate service account. Most say that I should let the environment use default credentials (not set a SA at all), and some say that it is good practice to have separate ones. There is not a lot of documentation on this specifically for Firebase with other Google services integrated. I'm hoping for a little guidance and insight on the best practices or at least how to get this working.
Edit 1
Just to add, this is how I implemented the getFunctionUrl function from the example:
import {GoogleAuth} from 'google-auth-library'
export async function getFunctionUrl(
name: string,
location = 'us-central1'
) {
const auth = new GoogleAuth({
scopes: "https://www.googleapis.com/auth/cloud-platform"
})
const projectId = await auth.getProjectId()
const url = "https://cloudfunctions.googleapis.com/v2beta/" +
`projects/${projectId}/locations/${location}/functions/${name}`
const client = await auth.getClient()
const res = await client.request({url})
// @ts-ignore
const uri = res.data?.serviceConfig?.uri
if (!uri) {
throw new Error(`Unable to retrieve uri for function at ${url}`)
}
return uri
}
This seems... wrong? I'm not sure if initializing Firebase using a SA will register with this package? Is this attempting to use default credentials? To test this I set my GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of my SA JSON and re-deployed to no effect.
Edit 2
I managed to figure out what it wanted for the actas principal. Solved this by assigning the service account user role to the SA. Everything is working now as expected. However, my question still stands on best practices involving multiple service accounts as opposed to the default.
Upvotes: 0
Views: 214
Answers (0)
Related Questions
- How to run a google apps script using a service account from google cloud platform?
- What's the difference between Cloud Firestore and the Firebase Realtime Database?
- Creating a new user via Firebase Cloud Functions - account created but can not sign in
- Managing end-user access to Cloud Run instances using Firebase Authentication and a Google service account
- GCP service account impersonation when deploying firebase rules
- Google Cloud Run Authentication Service-to-Service