I made a mistake and removed the default IAM role of an Firebase app on Google Cloud Console.
What is the default IAM role on AppEngine?
Is the App Engine Admin the correct one?
As written by #Ferregina in the comment section, the default IAM role for App Engine is the Editor role, which means that any user account with
sufficient permissions to deploy changes to the Cloud project can also run code with read/write access to all resources within that project(i.e. User
account having editor role will also be having viewer role or read/write access).
Related
I am making an admin tool page to allow admins to change users email for when they change or set their account to deactivate so they can not access the site anymore. Everything I have looked at seems to be using 'CurrentUser' but this will not work due to the fact they will be logged in as themselves which is marked as Admin level so they have access to the tool. So is there any way to change a users email for authentication without logging in as them?
If the Firebase Authentication client-side SDKs had an API that allowed you to change the email address of anyone but yourself that'd be a major security risk.
This is the reason an API to update any user by their UID only exists in the Admin SDK, which can only be run on a trusted environment as it requires full administrative access to your project.
If you want to expose this functionality to specific users of your app, you'll have to wrap the relevant call of the Admin SDK into a custom endpoint that you then call from the app. Just make sure to check that the user is authorized, before changing some other user's account.
I have recently started learning about building a serverless backend using Firebase for the cloud functions. I have been able to set up a Firebase project with some functions, which I would like to deploy. However, since I have previously logged in with another service account, it does not allow me to deploy despite the fact that I logout first and then login with the proper account.
I logout with firebase logout, which states Logged out from ....#gmail.com. Then I login with the proper account with firebase login, which opens my browser so that I can login with my account.
When I try to deploy with firebase deploy it throws an error
Missing permissions required for functions deploy. You must have permission iam.serviceAccounts.ActAs on service account previousAccount#appspot.gserviceaccount.com.
To address this error, ask a project Owner to assign your account the "Service Account User" role from this URL:
https://console.cloud.google.com/iam-admin/iam?project=previousAccount
I have also tried setting the proper account as the default one for the project directory, but that did not address the issue.
How can I erase the other service account and start using the proper one?
I have a server side app that does not run on node.js (a Cloudflare Worker), so I'm trying to access Firestore resources via REST calls and not through the Admin SDK.
I have a default service account created automatically for the Admin SDK, and I created another service account manually in the GCP console.
After obtaining an OAuth token for the default service account, I'm able to access protected resources. However, with the newly created service account, I can't access resources even if the security rule is set to if true.
What permissions would I have to give this manually created service account in order to allow it access?
Creating a service account by itself grants no permissions. The Permissions tab in IAM & Admin > Service Accounts shows a list of "Principals with access to this account" - this is not the inheritance of permissions, it's simply which accounts, aka principals, can make use of the permissions granted to this service account. The "Grant Access" button on this page is about granting other principals access to this service account, not granting access to resources for this service account.
For Firestore access specifically - go to IAM & Admin > IAM, and you'll be on the permissions tab. Click "Add" at the top of the page. Type in your newly created service account under "New Principals", and for roles, select "Cloud Datastore Owner".
Note: Firestore is the next generation of Datastore, but this legacy role name has remained.
I am building a Firebase application (using Firestore) which needs to support custom authentication via single sign on through a third party system.
In the past, I have done this type of integration with my own authentication system. To do this, I installed the Firebase Admin SDK on my own server and used the secret key to sign a JWT that was passed back to the client, which then could be used to grant access to the Firebase application.
However, since the Admin SDK grants full access to the Firebase app, I have concerns about handing those keys over to another party. Is there a way that I can provide a secret key that grants more limited privileges to the third party? I want them to be able mint JWTs for their users to access the app, but I don't want them to be able to directly read/write from my database.
I think I've solved this by taking the following steps...
1) Access the Firebase project's IAM admin tools
2) Create a new service account for the project in the "Service Accounts" section.
3) Create a custom role in the "Roles" section and give it access to all of the Firebase Authentication privileges: https://firebase.google.com/docs/projects/iam/permissions#auth
4) Assign the custom role to the service account in the "IAM" section of the admin interface.
5) Go back to the "Service Accounts" section and create/download a private key for this service account.
6) Use this key as the credentials for the Firebase Admin SDK and create a custom token using the process detailed here: https://firebase.google.com/docs/auth/admin/create-custom-tokens
The SDK should permit creating a custom token, but it will return errors when trying to do other actions such as accessing the project's database.
I have a Firebase account linked to a Google Cloud account. I want to add a collaborator to Firebase, but not allow them to have access to our entire GCP account.
There is no role or ability to create a custom role to grant access to Firebase. Is there a way to do this without granting broad GCP access?