0

With the Firebase CLI installed and once I'm logged in, I can create a JavaScript file like this that retrieves data from Firestore and execute it directly from the local command line:

script.js:

const admin = require('firebase-admin');

(async () => {
  admin.initializeApp({ projectId: 'my-project-id' });

  const widget = await admin
    .firestore()
    .doc('widgets/someid')
    .get();

  console.log(widget.data());
})();

command: node script.js

It works really well until I try to retrieve users from Firebase's auth. I then get faced with a 403 error. Here's the script:

const admin = require('firebase-admin');

(async () => {
  admin.initializeApp({ projectId: 'my-project-id' });

  const user = await admin
    .auth()
    .getUser('some-uid');

  console.log(user);
})();

Here's the error message:

{
    "error": {
        "code": 403,
        "message": "Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the identitytoolkit.googleapis.com.We recommend configuring the billing / quota_project setting in gcloud or using a service account through the auth / impersonate_service_account setting.For more information about service accounts and how to use them in your application, see https: //cloud.google.com/docs/authentication/.",
        "errors": [{
            "message": "Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the identitytoolkit.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/.",
            "domain": "usageLimits",
            "reason": "accessNotConfigured",
            "extendedHelp": "https://console.developers.google.com"
        }],
        "status": "PERMISSION_DENIED"
    }
}

This is odd, as I'm logged in as an administrator of the GCP project. The code above also works well when running inside of a cloud function (which only has a subset of the permissions that I do). How can I change permissions and configurations to get the above script to work?

Johnny Oshika
  • 54,741
  • 40
  • 181
  • 275
  • 1
    As the error says, you need to add a service account to retrieve users from Firebase's auth. In this [answer](https://stackoverflow.com/a/56826028/15747954) there are several methods to achieve it. – Jordi Jun 21 '21 at 10:19
  • @Jordi That's interesting. I'm using the Firebase CLI so I thought I was using the credentials of the logged in user with `firebase login`. That user (me) has full access to everything including Firebase Auth, but it sounds like I need to create a special service account for what I'm trying to do. – Johnny Oshika Jun 21 '21 at 14:11

1 Answers1

0

As @Jordi mentioned in the comments, you need to create a service account and activate that service account in my shell to access firebase auth.

Here are the steps:

In Google Cloud Console, create a new service account. Grant the Firebase Authentication Admin and Cloud Datastore Owner roles:

enter image description here

Generate a new key and store the JSON file locally:

enter image description here

Use the service account credentials:

Mac/Linux:

export GOOGLE_APPLICATION_CREDENTIALS=./path/service-account.json

Windows:

$env:GOOGLE_APPLICATION_CREDENTIALS = './path/service-account.json'

Now you can execute node scripts that call firebase-admin's admin.auth(), as well as admin.firestore() with the correct credentials:

node script.js
Johnny Oshika
  • 54,741
  • 40
  • 181
  • 275