Search code examples
firebasegoogle-cloud-platformfirebase-authenticationfirebase-cli

Firebase CLI permission to get auth users

With the Firebase CLI installed and once I'm logged in, I can create a JavaScript file like this that retrieves data from Firestore and execute it directly from the local command line:

script.js:

const admin = require('firebase-admin');

(async () => {
  admin.initializeApp({ projectId: 'my-project-id' });

  const widget = await admin
    .firestore()
    .doc('widgets/someid')
    .get();

  console.log(widget.data());
})();

command: node script.js

It works really well until I try to retrieve users from Firebase's auth. I then get faced with a 403 error. Here's the script:

const admin = require('firebase-admin');

(async () => {
  admin.initializeApp({ projectId: 'my-project-id' });

  const user = await admin
    .auth()
    .getUser('some-uid');

  console.log(user);
})();

Here's the error message:

{
    "error": {
        "code": 403,
        "message": "Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the identitytoolkit.googleapis.com.We recommend configuring the billing / quota_project setting in gcloud or using a service account through the auth / impersonate_service_account setting.For more information about service accounts and how to use them in your application, see https: //cloud.google.com/docs/authentication/.",
        "errors": [{
            "message": "Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the identitytoolkit.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/.",
            "domain": "usageLimits",
            "reason": "accessNotConfigured",
            "extendedHelp": "https://console.developers.google.com"
        }],
        "status": "PERMISSION_DENIED"
    }
}

This is odd, as I'm logged in as an administrator of the GCP project. The code above also works well when running inside of a cloud function (which only has a subset of the permissions that I do). How can I change permissions and configurations to get the above script to work?

Solution

  • As @Jordi mentioned in the comments, you need to create a service account and activate that service account in my shell to access firebase auth.

    Here are the steps:

    In Google Cloud Console, create a new service account. Grant the Firebase Authentication Admin and Cloud Datastore Owner roles:

    enter image description here

    Generate a new key and store the JSON file locally:

    enter image description here

    Use the service account credentials:

    Mac/Linux:

    export GOOGLE_APPLICATION_CREDENTIALS=./path/service-account.json

    Windows:

    $env:GOOGLE_APPLICATION_CREDENTIALS = './path/service-account.json'

    Now you can execute node scripts that call firebase-admin's admin.auth(), as well as admin.firestore() with the correct credentials:

    node script.js