Service Account Auth failing with 403

[Vivek Garg]

Hello Everyone,

Somewhat new to firebase. I am running into a 403 Forbidden when attempting to access the firebase database from server side. Here are the details:

1. I have a Google Compute instance configured with the "Compute Engine default service account". The instance was started with  Cloud API access scopes set to full access. Also the Service account has the "Owner" role.

2. I obtain a bearer token from the metadata server using the following request:

 

curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" \
-H "Metadata-Flavor: Google"

3. Then I use the bearer token to make the following request to firebase:

curl --verbose https://myproject.firebaseio.com/users.json -H "Authorization":"Bearer <ACCESS_TOKEN>"

4. I get the following response:

< HTTP/1.1 403 Forbidden
* Server nginx is not blacklisted
< Server: nginx
< Date: Sat, 10 Sep 2016 14:09:31 GMT
< Content-Type: application/json; charset=utf-8
< Content-Length: 37
< Access-Control-Allow-Origin: *
< Cache-Control: no-cache
< 
{
  "error" : "Permission denied."
}

5. My database rules are set as:

{
  "rules": {
    "users": {
      "$uid": {
        ".read": "$uid === auth.uid",
        ".write": "$uid === auth.uid"
      }
    }
  }
}

Originally I wrote it as an application in Golang, but then decided to drop down to curl to reproduce the problem. My golang application had the same problem, while using the firego and knq/firebase libs. OTOH, my local machine, I am logged in using gcloud and my golang application can access the DB successfully.

Any help is greatly appreciated as I am running out of ideas on what is causing it. I am guessing there is a config/tweak somewhere that I am not aware of.

Vivek

[Vivek Garg]

I was able to get past the issue based on a suggestion in: https://github.com/knq/firebase/issues/1

TLDR;, even though the service account has the Editor Role, the instance must be granted permission to UserInfo. This can be done when the instance is being started. Checkout the link above for additional discussion as well as a pointer to an example.

Vivek

[Kenneth Shaw]

Hi Vivek,

I'm fairly certain this is because the compute instance you are using does not have the necessary Firebase authorization scopes attached to it.

I updated the knq/firebase repository's gce example with some documentation on the matter, see here: https://github.com/knq/firebase/tree/master/examples/gce

Basically, when you create the compute instance, you need to add the appropriate scopes for the service account created for that instance. Alternatively, if you are using the downloaded service account credentials from the Google console, you need to make sure that those credentials have the appropriate scopes.

The scopes needed for the Firebase v3+ API:

https://www.googleapis.com/auth/userinfo.email

https://www.googleapis.com/auth/firebase.database

If you are using the gcloud command line tool, these can be passed when creating an instance:

$ gcloud compute instances create <INSTANCE_NAME> --scopes userinfo-email,https://www.googleapis.com/auth/firebase.database

I would hope that the Firebase team can convince the gcloud team in the future to make the gcloud tool automatically add that scope to created instances to avoid the problem in the future. My guess is that since you have to separately / manually import projects into the Firebase console, that the respective Firebase/gcloud teams have not yet finished that integration aspect.

Hope this helps you with using the knq/firebase package. Let me know if you have any other questions.