Login/Register
Error on firebase admin nodejs Permission iam.serviceAccounts.signBlob is required
Asked Answered
firebasefirebase-authenticationfirebase-admin
Q

2

10

im using this tutorial: https://firebase.google.com/docs/auth/admin/create-custom-tokens#using_a_service_account_id

to create a node.js function (deployed to google cloud functions) to authenticate my users. the function is super simple:

const admin = require('firebase-admin');
admin.initializeApp({
   serviceAccountId: '[email protected]'
});


exports.authenticate = (req, res) => {
   let pass;
   let uid;
   if (req.query) {
      if (req.query.v == 3) {
         pass = req.query.p;
         uid = req.query.u;
      }

         admin.auth().createCustomToken(uid)
            .then(function(customToken) {
               res.status(200).send(customToken);
               return customToken;
            })
            .catch(function(error) {
               console.error("Error creating custom token:" + JSON.stringify(error));
               res.status(400).send(error);
            });

   } else {
      console.error("EMPTY to authentication");
      res.end();
   }
};

but im getting this annoying error:

{"code":"auth/insufficient-permission","message":"Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/-/serviceAccounts/[email protected].; Please refer to https://firebase.google.com/docs/auth/admin/create-custom-tokens for more details on how to use and troubleshoot this feature."}

in the very same tutorial it says i must go to IAM and adjust some roles for the service account WHICH I DID but still getting this error.

this is a absolutelly simple task and shouldn't being such a hassle... what i am forgetting? the id is correct! the role is correct! the code is correct!

what is wrong?

Quiff answered 16/3, 2020 at 10:17 Comment(5)
Have you granted the token creator role to the default service account? Note that the documentation states Moreover, you must also make sure that the service account the Admin SDK is using to make this call —usually {project-name}@appspot.gserviceaccount.com— has the iam.serviceAccounts.signBlob permission. . This is particularly important when running on Cloud Functions.Pleurisy
I am facing exactly the same issue. Both my custom service account and the default firebase-adminsdk account do have the IAM role of Service Account Token Creator and Service Account User. The error message is still Permission iam.serviceAccounts.signBlob is required to perform this operationMel
I am facing exactly the same issue.Boutonniere
I am facing this issue too. Everything seems to be set the same. I have no idea what to do. Any updates on this?Feoffee
@Hunor, sometimes google takes time to propagate permissions, if you are sure you doing right wait 12 hours and try again it might solve by magicQuiff
P
4

Firebase mentions about this error on its docs:

https://firebase.google.com/docs/auth/admin/create-custom-tokens#failed_to_determine_service_account

You must initialize your app correctly through a JSON config file.

A simple fix would be:

  1. Go to https://console.cloud.google.com/iam-admin/iam?project=PROJECT_NAME
  2. Edit your default service account.
  3. Add the role Service Account Token Creator

In a few minutes your project will be able to create signed tokens.

Pascale answered 11/6, 2020 at 17:55 Comment(1)
This solves a few other issues also, so check this has been enabled for other similar errors also.Clergyman
B
0

Another possible cause for this is if IAM and/or IAM Credentials APIs are not enabled in the project. The error message in that case is different from OP's, but it may happen that the original error is lost and all you get back is a 403. In that case, it is helpful to make sure these APIs are enabled as well.

From [1]:

If you are specifying a service account ID for signing tokens you may get an error similar to the following:

Identity and Access Management (IAM) API has not been used in project
1234567890 before or it is disabled. Enable it by visiting
https://console.developers.google.com/apis/api/iam.googleapis.com/overview?project=1234567890
then retry. If you enabled this API recently, wait a few minutes for the action
to propagate to our systems and retry.

The Firebase Admin SDK uses the IAM API to sign tokens. This error indicates that the IAM API [2] is not currently enabled for your Firebase project. Open the link in the error message in a web browser, and click the "Enable API" button to enable it for your project.

Note that the signBlob IAM API from [2] is deprecated in favor of signBlob IAM Credentials API from [3]. Because of this, there is a chance Firebase will start using this new API, so it makes sense to enable it as well. The procedure to enable it is the same as described above, but one has to substitute iam.googleapis.com with iamcredentials.googleapis.com.

For the reference, [2] uses

POST https://iam.googleapis.com/v1/{name=projects/*/serviceAccounts/*}:signBlob

while [3] uses

POST https://iamcredentials.googleapis.com/v1/{name=projects/*/serviceAccounts/*}:signBlob

and both requests require iam.serviceAccounts.signBlob permission, as indicated in the other answers.

[1] https://firebase.google.com/docs/auth/admin/create-custom-tokens#iam_api_not_enabled

[2] https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts/signBlob

[3] https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob

Beehive answered 3/1 at 20:58 Comment(2)
While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - From ReviewEastsoutheast
Thanks @Ouroborus, I've updated the answer with more details.Beehive

© 2022 - 2024 — McMap. All rights reserved.