I have a server side app that does not run on node.js (a Cloudflare Worker), so I'm trying to access Firestore resources via REST calls and not through the Admin SDK.
I have a default service account created automatically for the Admin SDK, and I created another service account manually in the GCP console.
After obtaining an OAuth token for the default service account, I'm able to access protected resources. However, with the newly created service account, I can't access resources even if the security rule is set to if true.
What permissions would I have to give this manually created service account in order to allow it access?
Creating a service account by itself grants no permissions. The Permissions tab in IAM & Admin > Service Accounts shows a list of "Principals with access to this account" - this is not the inheritance of permissions, it's simply which accounts, aka principals, can make use of the permissions granted to this service account. The "Grant Access" button on this page is about granting other principals access to this service account, not granting access to resources for this service account.
For Firestore access specifically - go to IAM & Admin > IAM, and you'll be on the permissions tab. Click "Add" at the top of the page. Type in your newly created service account under "New Principals", and for roles, select "Cloud Datastore Owner".
Note: Firestore is the next generation of Datastore, but this legacy role name has remained.
Related
Background
We are building an app which authenticates end user using Firebase Authentication (backed by GCP Identity Platform). At the same time, we leverage some Google API of which permission is set based on IAM Role/Principal. That means the API call is valid only if the caller calls the API with a valid access token of authorized IAM Principal.
According to Doug in this post: How to add Firebase auth user to GCP IAM access policy "IAM doesn't know anything about Firebase Authentication users."
Already tried: Add the Firebase user as an IAM Principal when it's created. It works only for the user signs in user Google account. Otherwise, IAM will throw error "Email addresses and domains must be associated with an active Google Account, Google Workspace account, or Cloud Identity account."
Question: Is there any recommended way to authorize Firebase user accessing Google API? Do I need to build a customized authorization layer in Firebase to keep track of who can access what. Then, use that as a guard to relay the requests to the underlying Google API only if the user is authorized by the authorization logic?
I made a mistake and removed the default IAM role of an Firebase app on Google Cloud Console.
What is the default IAM role on AppEngine?
Is the App Engine Admin the correct one?
As written by #Ferregina in the comment section, the default IAM role for App Engine is the Editor role, which means that any user account with
sufficient permissions to deploy changes to the Cloud project can also run code with read/write access to all resources within that project(i.e. User
account having editor role will also be having viewer role or read/write access).
I am building a Firebase application (using Firestore) which needs to support custom authentication via single sign on through a third party system.
In the past, I have done this type of integration with my own authentication system. To do this, I installed the Firebase Admin SDK on my own server and used the secret key to sign a JWT that was passed back to the client, which then could be used to grant access to the Firebase application.
However, since the Admin SDK grants full access to the Firebase app, I have concerns about handing those keys over to another party. Is there a way that I can provide a secret key that grants more limited privileges to the third party? I want them to be able mint JWTs for their users to access the app, but I don't want them to be able to directly read/write from my database.
I think I've solved this by taking the following steps...
1) Access the Firebase project's IAM admin tools
2) Create a new service account for the project in the "Service Accounts" section.
3) Create a custom role in the "Roles" section and give it access to all of the Firebase Authentication privileges: https://firebase.google.com/docs/projects/iam/permissions#auth
4) Assign the custom role to the service account in the "IAM" section of the admin interface.
5) Go back to the "Service Accounts" section and create/download a private key for this service account.
6) Use this key as the credentials for the Firebase Admin SDK and create a custom token using the process detailed here: https://firebase.google.com/docs/auth/admin/create-custom-tokens
The SDK should permit creating a custom token, but it will return errors when trying to do other actions such as accessing the project's database.
I have a Firebase account linked to a Google Cloud account. I want to add a collaborator to Firebase, but not allow them to have access to our entire GCP account.
There is no role or ability to create a custom role to grant access to Firebase. Is there a way to do this without granting broad GCP access?
I am using firebase simple-login in my angularjs-app.
Is there any possibility to manage all existing user accounts (not with forge console)?
An admin-user should be enabled to edit and delete these accounts.
When you allow (for example) Twitter users to log in to you Firebase application, all Twitter users can log in to your Firebase application. You can't directly control specific user accounts, unless you implement your own custom authentication.
What you do have control is over what those user accounts have (read and write) access to. You do this through Firebase's security rules. If you'd remove an accounts read/write access from all your data, you've essentially locked them out of your Firebase.
You can programmatically set the security rules through the REST API. See updating security rules through rest api.