Can't create a custom token in firebase cloud functions because the service account doesn't have the necessary permissions

6
votes

When calling admin.auth().createCustomToken(), I get the following error:

Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/-/serviceAccounts/[email protected].; Please refer to https://firebase.google.com/docs/auth/admin/create-custom-tokens for more details on how to use and troubleshoot this feature.

So I go look at the mentioned service account in the IAM section of the cloud platform console, and it has the Editor role, which, indeed, does not have the signBlob permission. What role could I change it to to fix this? I tried creating a custom role based on Editor, but the createBlob permission can't be added to custom roles.

3
firebasegoogle-cloud-platformfirebase-authenticationgoogle-cloud-functionsgoogle-iam

3 Answers

13
votes

The page of documentation you linked to has a section for troubleshooting at the bottom. You're directed to read there for help. It says:

If the service account ID used to sign tokens does not have the iam.serviceAccounts.signBlob permission, you may get an error message like the following:

Permission iam.serviceAccounts.signBlob is required to perform this
operation on service account
projects/-/serviceAccounts/{your-service-account-id}.

The easiest way to resolve this is to grant the "Service Account Token Creator" IAM role to the service account in question:

  1. Open the IAM and admin page in the Google Cloud Platform Console.
  2. Select your project and click "Continue".
  3. Click the edit icon corresponding to the service account ID you wish to update.
  4. Click on "Add Another Role".
  5. Type "Service Account Token Creator" into the search filter, and select it from the results.
  6. Click "Save" to confirm the role grant.

Refer to IAM documentation for more details on this process, or learn how to do update roles using the gcloud command-line tools.

6
votes

I had the same error, and could see that the service account had the "Service Account Token Creator" role in the GCP IAM console UI.

What solved it for me:

Make sure you're using the right Firebase project:

firebase use your-project

Make sure you're using the "App Engine default service account", e.g. [email protected].

Grant the role to that service account via the gcloud cli:

gcloud projects add-iam-policy-binding your-project --member serviceAccount:[email protected] --role roles/iam.serviceAccountTokenCreator

Deploy Firebase:

firebase deploy

After that it did work for me (but not after setting it via the UI without a deployment).

I think this ought to display the role on the service account:

gcloud iam service-accounts get-iam-policy [email protected] --project your-project

But for me still gives etag: ACAB, even though I can see the role on the output of the previous command, and can see that the role works as it's now able to create custom tokens.

1
votes

Go to console accessing this link https://console.cloud.google.com/iam-admin/iam?project=[project-id] following these steps:

  1. Click the edit icon [your-project]@appspot.gserviceaccount.com
  2. Click on Add Another Role
  3. Type Service Account Token Creator into the search filter, and select it from the results
  4. Click Save to confirm