9

im using this tutorial: https://firebase.google.com/docs/auth/admin/create-custom-tokens#using_a_service_account_id

to create a node.js function (deployed to google cloud functions) to authenticate my users. the function is super simple:

const admin = require('firebase-admin');
admin.initializeApp({
   serviceAccountId: 'authenticator@igibo-b0b27.iam.gserviceaccount.com'
});


exports.authenticate = (req, res) => {
   let pass;
   let uid;
   if (req.query) {
      if (req.query.v == 3) {
         pass = req.query.p;
         uid = req.query.u;
      }

         admin.auth().createCustomToken(uid)
            .then(function(customToken) {
               res.status(200).send(customToken);
               return customToken;
            })
            .catch(function(error) {
               console.error("Error creating custom token:" + JSON.stringify(error));
               res.status(400).send(error);
            });

   } else {
      console.error("EMPTY to authentication");
      res.end();
   }
};

but im getting this annoying error:

{"code":"auth/insufficient-permission","message":"Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/-/serviceAccounts/authenticator@igibo-b0b27.iam.gserviceaccount.com.; Please refer to https://firebase.google.com/docs/auth/admin/create-custom-tokens for more details on how to use and troubleshoot this feature."}

in the very same tutorial it says i must go to IAM and adjust some roles for the service account WHICH I DID but still getting this error.

this is a absolutelly simple task and shouldn't being such a hassle... what i am forgetting? the id is correct! the role is correct! the code is correct!

what is wrong?

Rafael Lima
  • 3,079
  • 3
  • 41
  • 105
  • 2
    Have you granted the token creator role to the default service account? Note that the documentation states `Moreover, you must also make sure that the service account the Admin SDK is using to make this call —usually {project-name}@appspot.gserviceaccount.com— has the iam.serviceAccounts.signBlob permission. `. This is particularly important when running on Cloud Functions. – Hiranya Jayathilaka Mar 16 '20 at 21:07
  • 1
    I am facing exactly the same issue. Both my custom service account and the default firebase-adminsdk account do have the IAM role of `Service Account Token Creator` and `Service Account User`. The error message is still `Permission iam.serviceAccounts.signBlob is required to perform this operation` – Ivan Wang Apr 25 '20 at 07:39
  • 1
    I am facing exactly the same issue. – Jørgen Svennevik Notland Apr 29 '20 at 12:56
  • I am facing this issue too. Everything seems to be set the same. I have no idea what to do. Any updates on this? – Hunor Mar 19 '21 at 12:23
  • @Hunor, sometimes google takes time to propagate permissions, if you are sure you doing right wait 12 hours and try again it might solve by magic – Rafael Lima Mar 21 '21 at 23:58

1 Answers1

3

Firebase mentions about this error on its docs:

https://firebase.google.com/docs/auth/admin/create-custom-tokens#failed_to_determine_service_account

You must initialize your app correctly through a JSON config file.

A simple fix would be:

  1. Go to https://console.cloud.google.com/iam-admin/iam?project=PROJECT_NAME
  2. Edit your default service account.
  3. Add the role Service Account Token Creator

In a few minutes your project will be able to create signed tokens.

Marco Nascimento
  • 832
  • 8
  • 15