Description
It seems like service account impersonation is the recommended way to authenticate for local development.
But it's not very clear how this is done in practice. Do I need to adapt my code for this?
I've run:
gcloud auth application-default login --impersonate-service-account SERVICE_ACCT_EMAIL
and I have a token in:
cat /Users/myuser/.config/gcloud/application_default_credentials.json
{
"delegates": [],
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken",
"source_credentials": {
"account": "",
"client_id": "removed",
"client_secret": "removed",
"refresh_token": "removed",
"type": "authorized_user",
"universe_domain": "googleapis.com"
},
"type": "impersonated_service_account"
}I have tried code like this (after having looked at #2800):
initializeApp({
storageBucket: config.firebase.storageBucket,
credential: cert(process.env['GOOGLE_APPLICATION_CREDENTIALS']),
projectId: config.firebase.projectId,
})But then I got an error:
FirebaseAppError: Failed to parse service account json file: Error: Service account object must contain a string "project_id" property.
and this, I assumed this would pick up the ADC credentials file, notice its impersonation, and things would just work:
initializeApp({
storageBucket: config.firebase.storageBucket,
credential: applicationDefault(),
projectId: config.firebase.projectId,
})But then I got this error:
"Getting metadata from plugin failed with error: Could not refresh access token: PERMISSION_DENIED: unable to impersonate: Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
My local user has the Owner role in the GCP project. And has owner permissions on the service account. The service account has the Service Account Token Creator role.
Im using firebase-admin v13.0.1
Some working sample code for this would be very helpful.