1

I am struggling to provide a service account with exactly the permissions it needs to fully use the Identity Platform via the Firebase SDK, including programmatically managing tenants.

According to the documentation it needs the following permissions:

  • google.cloud.identitytoolkit.v1.AccountManagementService
  • google.cloud.identitytoolkit.v1.AuthenticationService
  • google.cloud.identitytoolkit.admin.v2.ProjectConfigService
  • google.cloud.identitytoolkit.admin.v2.TenantManagementService

Unfortunately, I can't find any of them in the IAM. I have already tried with all Identity Platform / Firebase / Firebase Authentication / Identity Toolkit permissions, but every time I got "permission denied".

What are the actual names of the roles / permissions?

Update As @xBurnsed gave the hint, that seems to be the role "identity platform administrator".

If I assign the required role "identity platform administrator" to the service account directly, it works. But if I create an own role, which - supposedly, according to my understanding, see screenshot - takes over all permissions of the role "identity platform administrator", and assign it to the service account, it doesn't work - the feedback is:

{
  "error": {
    "code": 403,
    "message": "The caller does not have permission",
    "status": "PERMISSION_DENIED"
  }
}

enter image description here

Can anyone explain this?

stoniemahonie
  • 321
  • 1
  • 5
  • 13

1 Answers1

2

You are confusing roles, with permissions, and services. Predefined roles contain a set of permissions. You can always create a custom role to set specific permissions. Some services require certain roles to be used.

In your case, the list you posted

google.cloud.identitytoolkit.v1.AccountManagementService
google.cloud.identitytoolkit.v1.AuthenticationService
google.cloud.identitytoolkit.admin.v2.ProjectConfigService
google.cloud.identitytoolkit.admin.v2.TenantManagementService

refers to services. In order to be able to use those, giving the Identity Platform Admin role to your service account should do the trick.

xBurnsed
  • 410
  • 4
  • 12
  • Thanks for the clarification, I guess I actually got confused! But the question remains: How can I assign the required permissions to a custom role, as they already have, for example, viewer / editor? I can't find them in the selection when creating a new role... – stoniemahonie Nov 09 '21 at 12:47
  • 1
    @stoniemahonie Try giving to your service account the following role: Identity Platform Admin. Confirm if it does the trick for you and I'll edit my answer. – xBurnsed Nov 09 '21 at 13:14
  • I tried it that way and it actually worked, thanks! However, this opens up a new mystery for me, I have updated my post accordingly. Do you have an answer to this as well? – stoniemahonie Nov 11 '21 at 10:39
  • @stoniemahonie are you sure you are selecting all the permissions from the Identity Platform Admin role? it is strange because in my list there appears to be more permissions than the one in your image. Check this [this](https://i.imgur.com/5M29X0I.png). – xBurnsed Nov 11 '21 at 11:08
  • I checked it again, it really only shows me the 4 from the screenshot. Very strange. I've since moved away from the IP because of the extremely poor documentation and the impression that this is an immature product. Thanks for your help! – stoniemahonie Nov 30 '21 at 23:40