-
Notifications
You must be signed in to change notification settings - Fork 373
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
13.x has broken auto finding service account for auth.createCustomToken #2800
Comments
Hey @seaders , When you call Does your service account have required permissions? See: https://firebase.google.com/docs/auth/admin/create-custom-tokens#service_account_does_not_have_required_permissions Re: the project id, could you try the accessing the credentials in your app instance without using GoogleAuth?
|
Hi @lahirumaramba I should have mentioned that in the OP, but yeah, .env file,
In regards the perms, as I mentioned in the post, this works perfectly, with the same service account, service account json file, and .env vars and the above code, on pre 13.x, and with the altered code on 13, so it's 100% nothing to do with the perms. I think it's to do with how the app is initialising now, and due to the "promise-y" nature of loading GoogleAuth, things aren't setting up right. In regards projectId... my dude As per the docs, firebase-admin-node/src/app/credential.ts Line 39 in 79b78c4
projectId doesn't exist on the Credential type. Even if I DID force cast it as having a projectId, it's still empty. It's empty until the
I truly don't understand the strategy that's gone on with some of this stuff and the change to GoogleAuth. Either expose the googleAuth object on the credential, or expose the internals of the default credential, or at least let us check, and cast the credential as the internal class. I'm really surprised that more things hasn't broken for more people, we've had a nightmare with the change. |
Just using This is going to break a lot of code (and hearts). |
I understand your frustration and thanks for filing this issue. I think I found the root cause and we are working on a fix in #2801 In the meantime, could you try the following as a workaround? import { cert, initializeApp } from "firebase-admin/app"
import { getAuth } from "firebase-admin/auth"
const app = initializeApp({
credential: cert(process.env['GOOGLE_APPLICATION_CREDENTIALS'])
})
await getAuth().createCustomToken("test") Using If you use the workaround mentioned above you should also be able to access the project id through: (app.options.credential as any).projectId We will also look into how we can better expose the project ID and service account in the future (and the internal Google Auth type) once this issue is fixed. |
Thanks for the help @lahirumaramba I've just tried that locally now, and can confirm that that solves both the token creation and the projectId bit. Unfortunately that doesn't work when deployed we get, from the code import admin from "firebase-admin"
export const credsLoc = process.env.GOOGLE_APPLICATION_CREDENTIALS
console.log({ credsLoc })
export const firebase =
admin.apps[0] ??
admin.initializeApp({
credential: admin.credential.cert(credsLoc!)
})
const projectId = (firebase.options.credential as any).projectId
console.log({ projectId }) |
That makes sense on Cloud Run you don't have the env var set (which you don't have to) so the SDK will look for Application Default Credentials in the environment. Can you try the following on your Cloud Run (GCP environment): const app = admin.initializeApp()
await (app.options.credential as any).getProjectId()
await (app.options.credential as any).getServiceAccountEmail() |
Yes, I agree. That is why I mention this (casting to any) as a workaround in my comment above. We will look into better exposing getters for the internal GoogleAuth type in the future as an improvement. |
[REQUIRED] Step 2: Describe your environment
[REQUIRED] Step 3: Describe the problem
Steps to reproduce:
What happened? How can we make the problem occur?
Prior to 13.x and the switch to google auth, you were able to run code like this
and create a custom token fine. I was able to do it locally, without error.
Now, we get errors locally like
This is very similar to the hoops introduced in 13.x to get the projectId.
To get everything properly working with each other, you need to do something like unnecessarily create the google auth, wait for the projectId/for it to be "filled", and then set the service account that that had auto set in the
initializeApp
function,All of the above seems like a big regression to many working features which needs to be fixed, or much of the documentation needs updating as running just
initializeApp
now does not set up your app fully like it did prior to 13.x, or plainly just a bug.--- edit ---
My creds are loaded from my .env file, via
The exact same service account and env vars are set, when testing against pre 13 and 13.x, and works fine with the appropriate code above, no issue with env vars, nor service account perms.
The text was updated successfully, but these errors were encountered: