In my firebase project I have upgraded functions from v1 to v2. Suddenly creating a custom auth token fails with:
FirebaseAuthError: Permission 'iam.serviceAccounts.signBlob' denied on resource (or it may not exist).; Please refer to https://firebase.google.com/docs/auth/admin/create-custom-tokens for more details on how to use and troubleshoot this feature.
I am calling getAuth().createCustomToken(uid).
Do I need to fix permission configuration? How do I add the missing permission? Where do I have to add it to? My service account already has the role "Service Account Token Creator". And this role already contains 'iam.serviceAccounts.signBlob'.
Or do I have to use the APIs differently in functions 2nd Gen?
As functions v2 runs via cloud run, the service account seems to be pinned to a different one: [email protected]
No matter which account I set in initializeApp(), it kept ignoring this.
Set the Service Account Token Creator permission for the account used for Cloud Run Invoker and it should work.