firebasegoogle-cloud-platformfirebase-authenticationgoogle-cloud-functionsauthorization

Use http Google Cloud Functions "Require Authentication" with Firebase


In my front-end, I'm using the Firebase authentication and the firebaseAuth.currentUser?.getIdToken(true) function to get the token and send it as an Authorization: Bearer {token} header to the Google function.

I used to parse the token in the function and validate it within the function code. But I want to enable the Require authentication setting for it. The problem is that I receive the Your client does not have permission to the requested URL error in this case.

I tried to set the allAuthenticatedUsers, {project}@appspot.gserviceaccount.com and firebase-service-account@firebase-sa-management.iam.gserviceaccount.com principals with Cloud Functions Invoker role, but it did not help.

Is there any way I can do so Require Authentication is enabled, and GC allows to execute the function only for the users authenticated with the Firebase?


Solution

  • Google Cloud IAM roles, such as "allAuthenticatedUsers" and service accounts, have nothing at all to do with Firebase Authentication user ID tokens. They aren't compatible with each other and are not interchangeable in any way. You can't simply replace your code to validate a Firebase Auth token with IAM permissions.

    The only way to implement Firebase Auth token validation is using code you write, typically with the Firebase Admin SDK.