[FR] Is it possible to use impersonated service account?

[blue-hope]

Is your feature request related to a problem? Please describe.
maybe related to #1703
I think It is not natural for the client to always have the service account json file, and I want to access the firebase admin through impersonate service account generated by gcloud auth application-default login --impersonate-service-account= which the service account has permission for generating custom token.
However, when I use the service account which now stored in ADC, firebase admin throws an error message: 'Refresh token must contain a "client_id" property.'.
In fact, the impersonate service account does not have a client_id itself, but it is contained in source_credentials like:

{
  "delegates": [],
  "service_account_impersonation_url": "",
  "source_credentials": {
    "client_id": "",
    "client_secret": "",
    "refresh_token": "",
    "type": "authorized_user"
  },
  "type": "impersonated_service_account"
}

Describe the solution you'd like
When checking ADC's service account, if type is impersonated_service_account, then check source_credentials.

Describe alternatives you've considered
I can manually get my service account from ADC and use 'source_credentials'. But is it really the only solution for checking impersonated service account?

Additional context
No additional context

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[lahirumaramba]

Hey @blue-hope Thank you for your feature request and the PR! I am looking into this now. Thank you for your patience!

[blue-hope]

@lahirumaramba Are there any updates?

[Klaitos]

Hello, any chance to get that reviewed ? It will helps a lot to reduce the risk of generating a json key.
Thanks !

[lahirumaramba]

This is fixed in #1862 and now included in the v11.5.0 release.

Thanks folks for your patience on this! Try out the new feature if you get a chance and let us know what you think.
If you encounter any issues, please open a new issue on Github. Thank you!

[frederikvanhevel]

Hi @blue-hope ! Thanks for working on this! Could you let me know what your initializeApp function looks like?

I'm initializing firebase like this:

initializeApp({
        credential: applicationDefault()
    })

But I get the following error:

Error: //cloud.google.com/docs/authentication/. If you are getting this error with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes. For more information regarding 'X-Goog-User-Project' header, please check https://cloud.google.com/apis/docs/system-parameters. Raw server response: "{"error":{"code":403,"message":"Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the identitytoolkit.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/. If you are getting this error with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes. For more information regarding 'X-Goog-User-Project' header, please check https://cloud.google.com/apis/docs/system-parameters.","errors":[{"message":"Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the identitytoolkit.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/. If you are getting this error with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes. For more information regarding 'X-Goog-User-Project' header, please check https://cloud.google.com/apis/docs/system-parameters.","domain":"usageLimits","reason":"accessNotConfigured","extendedHelp":"https://console.developers.google.com"}],"status":"PERMISSION_DENIED","details":[{"@type":"type.googleapis.com/google.rpc.ErrorInfo","reason":"SERVICE_DISABLED","domain":"googleapis.com","metadata":{"consumer":"projects/764086051850","service":"identitytoolkit.googleapis.com"}}]}}"

[rafael-fecha]

Hi @blue-hope ! Thanks for working on this! Could you let me know what your initializeApp function looks like?

I'm initializing firebase like this:

initializeApp({
        credential: applicationDefault()
    })

But I get the following error:

Error: //cloud.google.com/docs/authentication/. If you are getting this error with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes. For more information regarding 'X-Goog-User-Project' header, please check https://cloud.google.com/apis/docs/system-parameters. Raw server response: "{"error":{"code":403,"message":"Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the identitytoolkit.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/. If you are getting this error with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes. For more information regarding 'X-Goog-User-Project' header, please check https://cloud.google.com/apis/docs/system-parameters.","errors":[{"message":"Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the identitytoolkit.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/. If you are getting this error with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes. For more information regarding 'X-Goog-User-Project' header, please check https://cloud.google.com/apis/docs/system-parameters.","domain":"usageLimits","reason":"accessNotConfigured","extendedHelp":"https://console.developers.google.com"}],"status":"PERMISSION_DENIED","details":[{"@type":"type.googleapis.com/google.rpc.ErrorInfo","reason":"SERVICE_DISABLED","domain":"googleapis.com","metadata":{"consumer":"projects/764086051850","service":"identitytoolkit.googleapis.com"}}]}}"

+1

[Klaitos]

Hello, you need to authenticate as a service account, not an end-user.
gcloud auth application-default login --impersonate-service-account my-service-account@email.com

Of course your end-user will need specific permission like Service Account User on the impersonated service account