How to Use Firebase-Admin SDK with Credentials of ServiceAccount in Different Project?

1
votes

I have two Google Cloud Platform projects - let's call them proj-a and proj-b. I have a GCP ServiceAccount created in proj-a that tries to access user objects that are managed by Firebase Authentication running on top of proj-b.

The ServiceAccount has been assigned the Firebase Authentication Admin Google Cloud IAM role on the firebase project.

The output of the following code snippet looks promising:

import firebase_admin
from firebase_admin import auth

app = firebase_admin.initialize_app(options={"projectId": "proj-b"})
print(f"app: {app.project_id}")
print(f"creds: {app.credential.project_id}")

app: proj-b
creds: proj-a

But when I now call auth.get_user("some-id") I get the error message: Identity Toolkit API has not been used in project {PROJECT_NUM_OF_PROD_A} before or it is disabled. Of course, the identity toolkit has not been enabled on proj-a since Firebase is running on proj-b. How to get this running? The ServiceAccount is located in proj-a because most other components of the backend are located there. Defining the ServiceAccount in proj-b is therefore not an acceptable solution for me.

Full (cleaned) stack trace below:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/_user_mgt.py", line 397, in get_user
    response = self._client.request('post', 'getAccountInfo', json=payload)
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/auth.py", line 514, in request
    resp.raise_for_status()
  File "/usr/local/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://www.googleapis.com/identitytoolkit/v3/relyingparty/getAccountInfo

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/auth.py", line 230, in get_user
    response = user_manager.get_user(uid=uid)
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/_user_mgt.py", line 400, in get_user
    self._handle_http_error(INTERNAL_ERROR, msg, error)
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/_user_mgt.py", line 545, in _handle_http_error
    raise ApiCallError(code, msg, error)
firebase_admin._user_mgt.ApiCallError: Failed to get user by user ID: some-id.
Server response: {
  "error": {
    "code": 403,
    "message": "Identity Toolkit API has not been used in project {PROJECT_NUM_OF_PROD_A} before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/identitytoolkit.googleapis.com/overview?project={PROJECT_NUM_OF_PROD_A} then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.",
    "errors": [
      {
        "message": "Identity Toolkit API has not been used in project {PROJECT_NUM_OF_PROD_A} before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/identitytoolkit.googleapis.com/overview?project={PROJECT_NUM_OF_PROD_A} then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.",
        "domain": "usageLimits",
        "reason": "accessNotConfigured",
        "extendedHelp": "https://console.developers.google.com"
      }
    ],
    "status": "PERMISSION_DENIED"
  }
}


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/auth.py", line 233, in get_user
    raise AuthError(error.code, str(error), error.detail)
firebase_admin.auth.AuthError: Failed to get user by user ID: some-id.
Server response: {
  "error": {
    "code": 403,
    "message": "Identity Toolkit API has not been used in project {PROJECT_NUM_OF_PROD_A} before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/identitytoolkit.googleapis.com/overview?project=543111740960 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.",
    "errors": [
      {
        "message": "Identity Toolkit API has not been used in project {PROJECT_NUM_OF_PROD_A} before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/identitytoolkit.googleapis.com/overview?project=543111740960 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.",
        "domain": "usageLimits",
        "reason": "accessNotConfigured",
        "extendedHelp": "https://console.developers.google.com"
      }
    ],
    "status": "PERMISSION_DENIED"
  }
}

Update after updating firebase-admin client library

As mentioned by @Hiranya Jayathilaka I was not running the latest version of the firebase admin SDK. After updating from version 2.14.0 to 3.2.1 the app appears to connect to the correct project but I still get a permission denied error. I checked the permissions of the used ServiceAccount on proj_b and even gave it roles/firebase.admin as well as roles/editor just to make sure I do not lack any necessary permissions.

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/_user_mgt.py", line 479, in get_user
    'post', '/accounts:lookup', json=payload)
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/_http_client.py", line 113, in body_and_response
    resp = self.request(method, url, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/_http_client.py", line 105, in request
    resp.raise_for_status()
  File "/usr/local/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://identitytoolkit.googleapis.com/v1/projects/{PROJECT_ID_OF_PROD_B}/accounts:lookup

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/auth.py", line 268, in get_user
    response = user_manager.get_user(uid=uid)
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/_user_mgt.py", line 481, in get_user
    raise _auth_utils.handle_auth_backend_error(error)
firebase_admin.exceptions.PermissionDeniedError: Error while calling Auth service (Identity Toolkit API has not been used in project {PROJECT_NUM_OF_PROD_A} before or it is disabled. Enable it by visiting https). //console.developers.google.com/apis/api/identitytoolkit.googleapis.com/overview?project={PROJECT_NUM_OF_PROD_A} then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
1
firebasegoogle-cloud-platformfirebase-admingoogle-iam

1 Answers

1
votes

You seem to be using an old version of the Python SDK. Old versions used to identify the target project for Auth API calls from the service account. This is evident from the legacy endpoint that it's trying to reach: https://www.googleapis.com/identitytoolkit/v3/relyingparty/getAccountInfo. Since your service account is from proj-a, that's what it's targeting.

If you use v2.16.0 or higher, the SDK will connect to the new project-specific endpoint. Specifically, you need this change to be included in your SDK: https://github.com/firebase/firebase-admin-python/pull/256