In my front-end, I'm using the Firebase authentication and the firebaseAuth.currentUser?.getIdToken(true)
function to get the token and send it as an Authorization: Bearer {token}
header to the Google function.
I used to parse the token in the function and validate it within the function code. But I want to enable the Require authentication
setting for it.
The problem is that I receive the Your client does not have permission to the requested URL
error in this case.
I tried to set the allAuthenticatedUsers
, {project}@appspot.gserviceaccount.com
and firebase-service-account@firebase-sa-management.iam.gserviceaccount.com
principals with Cloud Functions Invoker
role, but it did not help.
Is there any way I can do so Require Authentication
is enabled, and GC allows to execute the function only for the users authenticated with the Firebase?
Google Cloud IAM roles, such as "allAuthenticatedUsers" and service accounts, have nothing at all to do with Firebase Authentication user ID tokens. They aren't compatible with each other and are not interchangeable in any way. You can't simply replace your code to validate a Firebase Auth token with IAM permissions.
The only way to implement Firebase Auth token validation is using code you write, typically with the Firebase Admin SDK.