[FR] Permission 'iam.serviceAccounts.signBlob' denied on resource, when initializing an App with Service Account ID from another Firebase project

[ruslan-simonenko]

[READ] Step 1: Are you in the right place?

Yes

[REQUIRED] Step 2: Describe your environment

• Operating System version: Google Cloud environment
• Firebase SDK version: 11.11.1
• Firebase Product: auth
• Node.js version: 18
• NPM version: 10.2.3

[REQUIRED] Step 3: Describe the problem

The documentation for custom token creation implies that one can init an app using service account ID, and create a token with it:
https://firebase.google.com/docs/auth/admin/create-custom-tokens#using_a_service_account_id

This does not seem to be the case for multi-project setup. The troubleshoot guide is unfortunately unhelpful. And error message that Auth module provides is counter-productive as it says that service account has a permission issue, which it does not.

This problem was previously mentioned in #1410.

Steps to reproduce:

Goal: create a token for Project A from Project B's function.

1. Create two Firebase Projects A & B.
2. Create service account "Token Creator" in Project A.
3. Grant it "Service Account Token Creator" permission.
4. Create Firebase callable Function (v2) that creates JWT token:
5. Call this function from Project B.

Expected: token is created
Actual:

Unhandled error FirebaseAuthError: Permission 'iam.serviceAccounts.signBlob' denied on resource (or it may not exist).; Please refer to https://firebase.google.com/docs/auth/admin/create-custom-tokens for more details on how to use and troubleshoot this feature.

This error is hard to debug, as one would assume that something is wrong with the way Service Account is set up. However the reality is that the issue lies with how the App is initialized - it must be initialized with Service Account Private Key, not ID.

It would have saved me a few hours if the library threw an error during App initialization: "This service account must be initialized with a private key, as it belongs to a different Firebase project", or if at least the troubleshoot guide described this caveat.

Relevant Code:

import { onCall } from 'firebase-functions/v2/https';
import { auth, initializeApp } from 'firebase-admin';

const serviceAccount: ServiceAccount = {
  projectId: 'a',
  clientEmail: '[email protected]',
  privateKey: '...'
}

export const createJWT = onCall(async () => {
  // const app = initializeApp(
  //   { serviceAccountId: { credential: credential.cert(serviceAccount) } },
  //   'a',
  // ); // << works
  const app = initializeApp(
    { serviceAccountId: '[email protected]' },
    'a',
  ); // << does not work, but fails on the next line
  const token = await auth(app).createCustomToken('test');
  return { token };
});

[rttll]

Also getting this error, in a brand new project.
Confirmed that the default service account has the right role/permissions. e.g.

firebase-adminsdk-[FOO]@[PROJECT_ID].iam.gserviceaccount.com and the role is Service Account Token Creator

And functions/src/index.ts:

import { onRequest } from 'firebase-functions/v2/https';

import { initializeApp } from 'firebase-admin/app';
import { getAuth } from 'firebase-admin/auth';

initializeApp();

const auth = getAuth();
const testId = 'test_id';

export const helloWorld = onRequest(async (_request, response) => {
  const token = await auth.createCustomToken(testId);
  response.send(token);
});

[alex-leshchuk]

@ruslan-simonenko @rttll

I also ran into this error. I tried updating the service account roles, but that didn’t fix it. I ended up solving it by specifying the credential in initializeApp.

Here’s how I fixed it:

In the Firebase console, go to Project settings -> Service accounts -> Generate new private key.
Add the downloaded .json file to your project (make sure to add it to your .gitignore).
Then, import the file and set it in initializeApp. Here’s how it looks for me:

import { initializeApp, cert } from "firebase-admin/app";
import serviceAccount from "/path/to/service-account.json";
import { ServiceAccount } from "firebase-admin/lib/app/credential";

initializeApp({
  credential: cert(serviceAccount as ServiceAccount),
});

This resolved the issue for me. Hope this helps in your cases as well!