Authenticate to firebase-admin using Google End User Credentials
Introduction
We usually use service accounts in order to authenticate to GCP services including firebase, but it’s not an optimal solution because you have to keep your key in your local environment. So there is always a security concern if we don’t properly manage them. GCP also discourages downloading service account keys.
In this post, I’m going to quickly describe how to use End User Credentials (EUC) which is so far the best option I found. This suits well when you want to authenticate to firebase in your local environment.
How?
Firebase documentation is self-explanatory. Check this particular section in their docs to learn how to create a client secret and use glcoud
CLI.
https://firebase.google.com/docs/admin/setup#testing_with_gcloud_end_user_credentials
Authorize for Google APIs
If you want to access services like Firestore, you have to add the necessary scopes. Check this reference to find out how to use the flag.
https://cloud.google.com/sdk/gcloud/reference/auth/application-default/login#--scopes
Example command with Firestore permissions:
Once you are authenticated, it will save credentials here:
$HOME/.config/gcloud/application_default_credentials.json
Advantages
The main advantage is that you can delete your client secret file after using gcloud auth
the command. As you can see in the docs, firebase-admin
can use default credentials in order to authenticate to Firebase services.
Disadvantages
The main disadvantage is that we can’t automate the process of creating client secrets. You have to go to the GCP UI and manually create them. It’s so much better if we can automate this process because then we can plug the whole process into a Yarn/NPM script and forget about it.
gcloud CLI
According to GCP, we can use gcloud alpha iap oauth-clients
command to create client id files, but it doesn’t have a flag to pass application-type
which we need to set as Desktop
in order to use it with Firebase.
https://cloud.google.com/iap/docs/programmatic-oauth-clients
gcloud REST API
The same issue applies to their REST API.
https://cloud.google.com/iap/docs/reference/rest/v1/projects.brands.identityAwareProxyClients
Terraform
There is a resource called google_iap_client
in Terraform. But again, we can’t pass application-type
here as well.
These GCP’s tools are still in alpha/beta state and hopefully, in the future, they will add all the flags we need.
CC: Google Cloud, Google Developers
Good Luck! 🎉