Menu
TLDR; I'm having trouble assigning an IAM permission to a service account.
I'm building a test that involves minting custom tokens with firebase Auth. When I hit:
const token = await admin.auth().createCustomToken('test', {
isAdmin: true,
})
the following error is thrown
Permission iam.serviceAccounts.signBlob is required to perform
this operation on service account
projects/-/serviceAccounts/[email protected].;
Please refer to
https://firebase.google.com/docs/auth/admin/create-custom-tokens
for more details on how to use and troubleshoot this feature
In the referenced documentation it says to add the Service Account Token Creator role to the service account. I have added that role (as well as tried Service Account Admin to no avail.
I can verify that my permissions seem to be correctly set, when I run
gcloud projects get-iam-policy project I can see my service account attached to the desired role
- members:
- serviceAccount:[email protected]
role: roles/iam.serviceAccountTokenCreator
However if I look at that specific service account, it seems to show up empty which would fall in line with my error:
gcloud iam service-accounts get-iam-policy [email protected]
etag: ACAB
I assume that whatever is causing my service account permissions to show up blank is the culprit, but I'm not sure where to debug further. It seems to me the only difference is one command is called with a project in it, but I initialize my firebase app with the project id, and have verified it with (firebase-admin).apps[0].options so it seems like a dead end.
211
In the Google Cloud console, go to the IAM page, find the service accounts, and review their roles. If necessary, grant a less permissive role to the service account. You can select a role from the list of IAM predefined roles, use a role suggested by a role recommendation, or create a custom role.
PROJECT_NUMBER @cloudservices.gserviceaccount.com. This service account is designed specifically to run internal Google processes on your behalf. The account is owned by Google and is not listed in the Service Accounts section of Google Cloud console.
It is important to note that @appspot.gserviceaccount.com is the App Engine default service account. It acts as a security feature " intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs."
Firebase mentions about this error on its docs:
https://firebase.google.com/docs/auth/admin/create-custom-tokens#failed_to_determine_service_account
You must initialize your app correctly through a JSON config file.
A simple fix would be:
In a few minutes your project will be able to create signed tokens.
89
The sign feature of a service account requires the iam.serviceAccounts.signBlob permission. This permission is included in the Service Account Token role roles/iam.serviceAccountTokenCreator
You can assign this role at the "project" level or at the "service account" level. This is why you see different results. Assigning roles at the project level affects permissions for all service accounts. Assigning roles at the service account only affects that service account.
The key to your problem is that the caller does not have this role on service account [email protected]. You have given the service account permission and NOT the caller. Look into your code for the service account that you used to setup the Firebase SDK.
37
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
