1

I have setup app engine and firebase at PROJECT A, the app engine used default credentials, and able to access firebase at PROJECT A, however the app engine also need to call

verifyIdToken()

to verify user in PROJECT B.

What would be the best approach to it?

  1. I can download the firebase credentials from PROJECT B, and use firebase admin sdk to do so, but it seems overkill, because i only needs to verify use token.

  2. Setup firebase IAM permission in PROJECT B for app engine from PROJECT A, so it can access to firebase, theoretically, but in this case, how the app engine get the credentials from firebase in PROJECT B? Definitely not default credentials, right?

jmzhang18
  • 141
  • 1
  • 9

2 Answers2

0

You can add the necessary roles from Project B to the service account used by Cloud Functions (it will be <project-a>@appspot.gserviceaccount.com). You would do this by visiting the Google Cloud IAM console in Project B and assigning the roles appropriately.

Once you do that, you should be able to use default credentials to authorize requests for Project B.

Note: There's some nuance here and I haven't directly tried this, but it should work in theory.

Michael Bleigh
  • 25,334
  • 2
  • 79
  • 85
  • Thanks! However, in this case, I want have both firebase access to Project A and B, how the default credential in app engine distinguish? – jmzhang18 May 06 '20 at 06:27
0

Found the solution

using_a_service_account_id

and

Answer from another post

After setup the IAM role and policy in project B with project A accouint, simply just do

projectB_firebase = firebase_admin.initialize_app(options={
    "serviceAccountId": "firebase-adminsdk-xxxxxxx@[projectb].iam.gserviceaccount.com"
}, name="projectB")
jmzhang18
  • 141
  • 1
  • 9