Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

How to use credentials of type external_account with the Firebase admin Node.js SDK?

149 views
Skip to first unread message

Richard Blondel

unread,
Dec 27, 2024, 11:00:43 AM12/27/24
to Firebase Google Group

Hi there!

I have a usage question about how to authenticate with the Node.js Firebase admin SDK.

I am trying to use Workload Identity Federation credentials with AWS, ie. I have a JSON config which looks like this:

{ "type": "external_account", "audience": "//iam.googleapis.com/<identity_pool_provider_identifier>", "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request", "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/<service_account_email>:generateAccessToken", "token_url": "https://sts.googleapis.com/v1/token", "credential_source": { "environment_id": "aws1", "region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone", "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials", "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15" } }


The format of this file is specified in AIP-4117.

According to this issue, it is now possible to use credentials of type external_account when using applicationDefault().

I made sure that the GOOGLE_APPLICATION_CREDENTIALS variable is populated correctly.

I tried using the following code:

const firebase = admin.initializeApp({ credential: admin.credential.applicationDefault(), projectId: process.env.GOOGLE_PROJECT_ID, });
firebase
  .messaging()
  .send({ /* ... notification payload ... */);


... which gives this error: Credential implementation provided to initializeApp() via the "credential" property failed to fetch a valid Google OAuth2 access token with the following error: "The caller does not have permission"..

I highly doubt I am missing permissions, since I was using the lower-level google-auth-library client to use Firebase Cloud Messaging, and it worked fine for months.
Now that the Firebase admin SDK supports external account credentials, I wanted to give it a try to be able to use all the features, but I am having this issue.

Anything I might be missing, or doing wrong?

Any help is appreciated. Thanks!

Reply all
Reply to author
Forward
0 new messages