I am trying to establish service-service authentication between Cloud Functions and Cloud Endpoints.
I am trying to send a HTTP request inside a Firebase Cloud Function to my API running on Google App Engine and managed by Google Cloud Endpoints.
As stated in google docs, the service account that Firebase Cloud Functions uses is ____#cloudservices.gserviceaccount.com
I added that issuer in the security definition of my openAPI config(cloud endpoints). However, I could not find a way to create an access token in Cloud Functions of that service account.
How can I generate an access token in Cloud Functions to authenticate itself to Cloud Endpoints? How am I supposed to sign the JWT on cloud functions to request an access token?
Use Application Default Credentials.
Related
I want to protect an API endpoint that is used by a Firebase cloud function. My plan was to use the authentication system of Firebase by using custom tokens generated in Firebase with the createCustomToken() method, send them with the Authorization header and then validate those in the API. I tried doing this with verifyIdToken() but it turns out that this is the wrong approach.
How can I validate custom tokens in my API, or what is the recommended approach here?
I'm taking my first steps with Vision ML and using the REST interface. (https://vision.googleapis.com/v1/files:annotate). As API key I provide the key from the Firebase project settings. In the Authorization Bearer, I supply the token from Firebase-Auth after sign-in.
When accessing Annotate I get a 403 (Permission_Denied) error message back:
Error opening file: gs://######.appspot.com/MyFile.tiff.
The object is available in the corresponding bucket and it is not blocked due to the Firebase Storage rules.
Can I pass a Firebase token in this REST interface at all?
How do I make sure that the service account can access the storage?
Thank you for any hint
I am currently using Firebase in iOS app with flutter framework.
The default Google Cloud API key created by firebase has unrestricted access to APIs, so I want to restrict it to certain APIs that my app uses for security reasons.
However, after making API restrictions, almost all firebase related components work fine, but the app does not seem to be able to get Firebase Cloud Messaging Token (e.g. FirebaseMessaging.getToken() call fails). The app suppose to retrieve this token and send it to the backend server such that the server can send FCM messages, but when this call is made, it just hangs for a while and returns null.
When my app key has unrestricted access to APIs, it retrieves FCM token fine, but as soon as I restrict it, it fails to retrieve the token.
I currently have whitelisted following APIs for the Firebase iOS App Key.
Identity Toolkit API
Token Service API
Firebase Remote Config API
Firebase Dynamic Links API
FCM Registration API
Firebase Cloud Messaging API
I have gone through other API list and they do not seem to be related to Firebase Cloud Messaging at all, so I did not select anything else, so I am stuck. Has anyone else encountered this problem when they tried to restrict Firebase API key?
(I am attaching the full API permission list below.)
App Engine Admin API
BigQuery API
BigQuery Storage API
Cloud Build API
Cloud Datastore API
Cloud Debugger API
Cloud Deployment Manager V2 API
Cloud DNS API
Cloud Firestore API
Cloud Functions API
Cloud Logging API
Cloud Messaging
Cloud Monitoring API
Cloud OS Login API
Cloud Pub/Sub API
Cloud Resource Manager API
Cloud Run API
Cloud Runtime Configuration API
Cloud Scheduler API
Cloud Source Repositories API
Cloud SQL
Cloud SQL Admin API
Cloud Storage
Cloud Tasks API
Cloud Testing API
Cloud Trace API
Compute Engine API
Container Registry API
FCM Registration API
Firebase App Distribution API
Firebase Cloud Messaging API
Firebase Dynamic Links API
Firebase Extensions API
Firebase Hosting API
Firebase Installations API
Firebase Management API
Firebase Mods API
Firebase Remote Config API
Firebase Rules API
Google Cloud APIs
Google Cloud Storage JSON API
Google Play Android Developer API
IAM Service Account Credentials API
Identity and Access Management (IAM) API
Identity Toolkit API
Kubernetes Engine API
Legacy Cloud Source Repositories API
Maps Embed API
Maps JavaScript API
Maps SDK for Android
Maps SDK for iOS
Maps Static API
Mobile Crash Reporting API
Service Management API
Service Usage API
Stackdriver API
Street View Publish API
Street View Static API
Token Service API
You have to additionally white-list the Firebase Installations API.
Details can be found here:
https://github.com/firebase/firebase-android-sdk/blob/master/firebase-installations/API_KEY_RESTRICTIONS.md
I have read this page a few times it implies and does not imply that if I enable authentication when deploying a Cloud Run instance I can use Firebase Auth to get through to the service.
I tried passing in a valid Firebase user idToken and did not get through. Was I doing something wrong or is the only way to get through to Cloud Run when Authentication is enabled to use google sign in?
Steps to reproduce:
When deploying to Cloud Run select Yes for authenticated
Generate a firebase auth token using REST call from here
make api call to Cloud run instance using header bellow and ID_TOKEN from step 2 above
Authorization: Bearer ID_TOKEN
According with the comment, the use case is to authorize only the registered, and the authenticated user (with Firebase auth), to use a Cloud Run endpoint deployed privately.
You can't do it directly, you need to use an additional layer. Here I propose to use Cloud Endpoint. I wrote an article on this to set up an authentication with API Key.
You have the principles of Cloud Endpoint there. You simply have to change the security definition from API Key to Firebase auth. You can found documentation here
Note: The authentication methods can evolved the next quarters. Stay tuned
I have a node.js client that uses firebase authentication. Now I want to access Google Cloud Storage, however the firebase SDK for node.js does not include GCS. Using #google-cloud/storage works but only with anonymous access. How do I apply the firebase credential to #google-cloud/storage so that GCS access is in the context of the logged-in user?
Node.js is a server that operates in a privileged environment. The Firebase Admin SDK (aka the Node SDK) talks to other services via a service account.
Firebase Authentication enables client-side authentication. The JavaScript SDK is the client-side SDK.
There is no Node.js client SDK for Firebase that accesses Cloud Storage. Since both the Firebase Admin SDK and the Google Cloud Platform client for Node.js use administrative privileges to access Cloud Storage, it looks like those won't be an option for you either.
The two options I can think of are:
Use the Admin SDK in a Cloud Function, and expose the files from Cloud Storage that way.
Use the REST API for Cloud Storage.
I admit that neither is trivial, so I hope somebody knows a better solution.