0

I am trying to deploy my cloud functions in GCP and post deployment it is linked to a default service account. However, I have provided values for specific service account on which it should get deployed/linked.

I am using

const admin = require('firebase-admin');
admin.initializeApp({
    credential: admin.credential.cert("path to serviceAccount.json")
});

Service account Json (removed keys for some obvious reasons)

{
  "type": "service_account",
  "project_id": "[PROJECT_ID]",
  "private_key_id": "xxxx",
  "private_key": "-----BEGIN PRIVATE KEY-----\n[KEY_IS_HERE]\n-----END PRIVATE KEY-----\n",
  "client_email": "[CLIENT_EMAIL]",
  "client_id": "[CLIENT_ID]",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "[CLIENT_CERT_URL]"
}

Once Functions are deployed, they are linked to the default service account xyz@appspot.gserviceaccount.com
However the keys are provided for mnq@someServiceAccount.com

I need suggestions on what needs to be done to deploy on some specific service account and not on default one.

someRandomDev
  • 561
  • 6
  • 15
Vipul Singh
  • 393
  • 9
  • 26
  • What are the operations that you are doing that requires to use the non-default service account? When using packages from google cloud, you can define the service account when instantiating these packages. Could you provide some code of the operation(s) you are doing? – someRandomDev May 20 '22 at 15:59
  • 2
    For compute running on GCP e.g. Cloud Functions, you shouldn't provide a Service Account key just the Service Account's email address. Your code should use Application Default Credentials to obtain the runtime Service Account and, when you deploy the Cloud Function, you configure it with the Service Account email address that you want your code to use – DazWilkin May 20 '22 at 17:13

1 Answers1

0

As stated in this answer:

Firebase Cloud Functions use the {project-id}@appspot.gserviceaccount.com service account (App Engine default service account) ... Good to know: When using Google Cloud Functions, the service account being used while running the function can be defined when deploying the function.

But, as said in the first comment:

You can't specify the service account to use when deploying with the Firebase CLI. That only works when you deploy with gcloud, and you can't use gcloud to deploy functions that use the Firebase SDK to build functions. If you need a different service account for functions deployed with the Firebase CLI, you need to deploy the credentials for that account, and use them manually.

Which is the same as stated in the official documentation:

Once you have created a Firebase project, you can initialize the SDK with an authorization strategy that combines your service account file together with Google Application Default Credentials.

Firebase projects support Google service accounts, which you can use to call Firebase server APIs from your app server or trusted environment. If you're developing code locally or deploying your application on-premises, you can use credentials obtained via this service account to authorize server requests.

Rogelio Monter
  • 1,084
  • 7
  • 18