4

Goal

Using googleapis with firebase functions. Get a JWT token so firebase functions can use a service account with domain-wide delegation to authorize G Suite APIs like directory and drive.

Question

What goes in path.join();

What is __dirname What is 'jwt.keys.json'?

From this example: https://github.com/googleapis/google-api-nodejs-client/blob/master/samples/jwt.js

  // Create a new JWT client using the key file downloaded from the Google Developer Console
  const auth = new google.auth.GoogleAuth({
    keyFile: path.join(__dirname, 'jwt.keys.json'), // <---- WHAT GOES IN path.join()
    scopes: 'https://www.googleapis.com/auth/drive.readonly',
  });

Error

When I run

  const auth = new google.auth.GoogleAuth({
    keyFile: path.join(__dirname, "TEST"), // <-- __dirname == /srv/ at runtime
    scopes: 'https://www.googleapis.com/auth/drive.readonly',
  });

From the GCP Logs I get this error:

Error: ENOENT: no such file or directory, open '/srv/TEST'

Obviously TEST isn't valid, but is '/srv/?

What is the keyFile, a file path? a credential?

Another Example

https://github.com/googleapis/google-api-nodejs-client#service-to-service-authentication

Chadd
  • 636
  • 7
  • 30
  • 1
    `keyFile` is the filename of the service account JSON file you downloaded from the Google Console when you created the service account. You mention JWT token. You want a Google OAuth Access Token created from a service account. Also, read the documentation for G Suite Domain Wide Delegation to understand how to do this. https://developers.google.com/admin-sdk/directory/v1/guides/delegation Pay attention to the section on `delegation` as you are missing this in your code. – John Hanley Mar 07 '20 at 07:14
  • Thanks John! It works when I provide a string with a path to the services account secret config json. I need to provide the credentials for continuous integration. It's no go to push this config json to source control. So maybe the question is, **Is there a way to use Firebase Environmental Variables** with `google.auth.GoogleAuth` – Chadd Mar 08 '20 at 14:43

2 Answers2

4

I found documentation here:

https://googleapis.dev/nodejs/google-auth-library/5.10.1/classes/JWT.html

If you do not want to include a file, you can use key, keyId, and email to submit credentials when requesting authorization.

Chadd
  • 636
  • 7
  • 30
1

You seem to have a lot of questions around how this works. I would strongly encourage you to read the basics of Google authentication.

JWT is short for JSON Web Token. It is a standard standard defining secure way to transmit information between parties in JSON format. In your code "jwt" is a class containing a keys property. There are a ton of JWT libraries. There are some popularly packages using Node/Express frameworks.

__dirname // In Node this is the absolute path of the directory containing the currently executing file.

path.join is a method that joins different path segments into one path.

Here you are taking the absolute path and concatenating some piece of information to the end of the path. I am not certain what is contained in jwt.keys.json but that is what is being appended to the end of the absolute path in this case.

Without knowing your project structure or what you are pointing to it's not really possible to say what is and is not a valid path in your project.

keyFile is a key in an object (as denoted by the {key: value} format) under google.auth. As seen in the sample code you referenced, the script is taking the google.auth library and calling a method to construct and object with the information to are providing so that it abstract away other elements of the authentication process for you. You are giving it two pieces of information: 1) The location of the keyFile which presumably are the credentials and 2) The scope or set of permissions you are allowing. In the example it is readonly access to Drive.

EDIT: The private key file that the calling service uses to sign the JWT.

adlopez15
  • 3,449
  • 2
  • 14
  • 19
  • 1
    I'm catching up to newer googleapis. In the last year `google.auth.JWT` became `google.auth.GoogleAuth` and changed how/where scope and auth get sorted. – Chadd Mar 07 '20 at 04:26
  • Previously, `google.auth.JWT`only needed the service accounts credentials, which could be safely pulled in via firebase:config. Looking at the newest example for `google.auth.GoogleAuth`, I'm missing how to keep the JWT credentials secret. – Chadd Mar 07 '20 at 04:34
  • The documentation on the official client may be what you are looking for: https://github.com/googleapis/google-api-nodejs-client#google-apis-nodejs-client – adlopez15 Mar 07 '20 at 05:59
  • 1
    I would like use the example from the official client docs. Do you know where to include the service account credentials? I do not want to include a file with these secrets. Previously, I passed in Firebase Environmental Variables where I included `private_key`, `client_id`, etc. – Chadd Mar 08 '20 at 14:35