Menu
We've switched from service account keys to serviceAccountIds (or tried to) so we can clean up all the rouge keys we have. After rolling out the change we're seeing:
Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/-/serviceAccounts/[email protected].; Please refer to https://firebase.google.com/docs/auth/admin/create-custom-tokens for more details on how to use and troubleshoot this feature....}}
The thing is, we've definitely got the correct role applied (see attachment). We've even tried a few more for good measure.
Thanks!
861
What Are Custom Authentication Tokens? An authentication token is some data, represented as a string or XML, that identifies an entity (user or process), such as an X509 client certificate. Typically, authentication tokens are designed to be used within specific security protocols.
When a user or device successfully signs in, Firebase creates a corresponding ID token that uniquely identifies them and grants them access to several resources, such as Firebase Realtime Database and Cloud Storage. You can re-use that ID token to identify the user or device on your custom backend server.
Firebase gives you complete control over authentication by allowing you to authenticate users or devices using secure JSON Web Tokens (JWTs). You generate these tokens on your server, pass them back to a client device, and then use them to authenticate via the signInWithCustomToken() method.
There are two service accounts being used in this case:
serviceAccountId.It seems IAM only works when BOTH service accounts have the signBlob permission. I have inquired the GCP/IAM team about this. In the meantime, here are couple of fixes you can try immediately:
serviceAccountId at all. The SDK will auto-discover that same
service account ID when running in Functions.
137
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
