firebase-admin-node icon indicating copy to clipboard operation
firebase-admin-node copied to clipboard

[FR] Allow initializing app manually with impersonated service account

Open swftvsn opened this issue 1 year ago • 5 comments

Is your feature request related to a problem? Please describe. We have a need to instantiate multiple instances of firebase admin to access multiple projects at the same time. This works nicely in production using:

const serviceAccountObject = JSON.parse(serviceAccountString)
const app1 = initializeApp({
  projectId: projectId,
  credential: cert(serviceAccountObject),
  databaseURL: databaseUrl,
  storageBucket: storageBucket
}, 'myNamedApp1')

However, it seems to be impossible to supply the impersonated service account json from local ADC login (obtained using gcloud auth application-default login --impersonate-service-account [email protected]) as ImpersonatedServiceAccountCredential is not exported.

We rolled our own, but it fails as isApplicationDefault uses instanceof to do the checking.

Describe the solution you'd like Add a way to initialize from ADC logins manually: add a method (like refreshToken and cert) to src/app/credential-factory.ts that takes impersonatedServiceAccountPathOrObject etc as parameter.

const globalImpersonatedServiceAccountCreds: { [key: string]: ImpersonatedServiceAccountCredential } = {};
export function impersonatedServiceAccount(impersonatedServiceAccountPathOrObject: string | object, httpAgent?: Agent): Credential {
  const stringifiedImpersonatedServiceAccount = JSON.stringify(impersonatedServiceAccountPathOrObject);
  if (!(stringifiedImpersonatedServiceAccount in globalImpersonatedServiceAccountCreds)) {
    globalImpersonatedServiceAccountCreds[stringifiedImpersonatedServiceAccount] = new ImpersonatedServiceAccountCredential(
      impersonatedServiceAccountPathOrObject, httpAgent);
  }
  return globalImpersonatedServiceAccountCreds[stringifiedImpersonatedServiceAccount];
}

swftvsn avatar Sep 03 '24 05:09 swftvsn

I found a few problems with this issue:

  • I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
  • This issue does not seem to follow the issue template. Make sure you provide all the required information.

google-oss-bot avatar Sep 03 '24 05:09 google-oss-bot

Added PR https://github.com/firebase/firebase-admin-node/pull/2695 to fix this.

swftvsn avatar Sep 04 '24 08:09 swftvsn

@dconeybe could someone please weigh in on this one if it is feasible or not? This is blocking us from using more secure way to develop software locally.

swftvsn avatar Sep 12 '24 10:09 swftvsn

Hey @swftvsn thanks for your contribution on this. We are migrating our internal credentials handling to google-auth-library in #2466, which should address this issue.

I have reprioritized this issue and actively working on it again to include #2466 in an official release. In the meantime if you are interested, could you try the test build shared in https://github.com/firebase/firebase-admin-node/issues/1377#issuecomment-1971607584 and confirm if that works with your impersonated service account?

lahirumaramba avatar Sep 12 '24 15:09 lahirumaramba

@lahirumaramba I can confirm that the solution in #2466 works for impersonated service accounts.

swftvsn avatar Oct 04 '24 16:10 swftvsn

Thanks! Should be fixed in https://github.com/firebase/firebase-admin-node/pull/2466

lahirumaramba avatar Nov 05 '24 17:11 lahirumaramba