Description
[REQUIRED] Step 2: Describe your environment
- Operating System version: GKE node:10-alpine image
- Firebase SDK version: 8.2.0
- Firebase Product: Firestore
- Node.js version: 10
- NPM version: 6.9.0
[REQUIRED] Step 3: Describe the problem
I have a Google Cloud Platform project that needs to sign custom tokens from GKE compute instances via the node-admin SDK for multiple firebase projects (I need multiple Firestores).
One Firebase project is owned by the GCP project, the other is not (Limit of 1:1 set by Google). I have given the GCP project access to both Firebase projects by adding the compute engine default service account to the IAM section for the external Firebase project. I have given it the Firebase Editor and Service Account Token Creator roles.
I initialise the connection for either Firestore using:
app = admin.initializeApp({
databaseURL: `https://${config.databaseURL}`,
projectId: config.projectId,
});
As you can see, I don't pass any account credentials as I use the compute engine default service account. I switch Firebase instances by passing the databaseURL and projectId.
When I sign a token using app.auth().createCustomToken this works fine for both firebase instances.
The issue is when the client tries to authenticate to the Firestore using the custom token. It works for the Firestore that is part of the same project as the service account. For the other Firestore it fails with mismatch error 400.
The interesting thing is that the token signed for the external firebase project (that doesn't work) does work if I then point the frontend to the other firebase project.
This implies that either initializeApp is ignoring the databaseURL and projectId or app.auth().createCustomToken is.
Explained simply:
Using compute default service account from Project A always signs token for Project A even if initializeApp() is configured with Project B.