[DOC] Improve documentation for service account impersonation

[ottob]

It seems like service account impersonation is the recommended way to authenticate for local development.

But it's not very clear how this is done in practice. Do I need to adapt my code for this?

I've run:
gcloud auth application-default login --impersonate-service-account SERVICE_ACCT_EMAIL
and I have a token in:
cat /Users/myuser/.config/gcloud/application_default_credentials.json

{
  "delegates": [],
  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/myserviceaccount@myproject.iam.gserviceaccount.com:generateAccessToken",
  "source_credentials": {
    "account": "",
    "client_id": "removed",
    "client_secret": "removed",
    "refresh_token": "removed",
    "type": "authorized_user",
    "universe_domain": "googleapis.com"
  },
  "type": "impersonated_service_account"
}

I have tried code like this (after having looked at #2800):

initializeApp({
    storageBucket: config.firebase.storageBucket,
    credential: cert(process.env['GOOGLE_APPLICATION_CREDENTIALS']),
    projectId: config.firebase.projectId,
  })

But then I got an error:

FirebaseAppError: Failed to parse service account json file: Error: Service account object must contain a string "project_id" property.

and this, I assumed this would pick up the ADC credentials file, notice its impersonation, and things would just work:

initializeApp({
    storageBucket: config.firebase.storageBucket,
    credential: applicationDefault(),
    projectId: config.firebase.projectId,
  })

But then I got this error:

"Getting metadata from plugin failed with error: Could not refresh access token: PERMISSION_DENIED: unable to impersonate: Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",

My local user has the Owner role in the GCP project. And has owner permissions on the service account. The service account has the Service Account Token Creator role.

Im using firebase-admin v13.0.1

Some working sample code for this would be very helpful.

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[lahirumaramba]

I think the principal (user) trying to impersonate the service account should also have the Service Account Token Creator role. See: https://stackoverflow.com/a/76378259

The official docs are here: https://cloud.google.com/docs/authentication/use-service-account-impersonation#required-roles

To ensure that the principal has the necessary permission to impersonate a service account, ask your administrator to grant the principal the Service Account Token Creator (roles/iam.serviceAccountTokenCreator) IAM role on the service account.

[ottob]

Thanks for looking at this.

My account has the Owner role, and that includes all the necessary permissions afaik. I have also tried adding Service Account Token Creator role. But that makes no difference.

// using code like this
credential: applicationDefault(),

I still get:

Getting metadata from plugin failed with error: Could not refresh access token: PERMISSION_DENIED: unable to impersonate: Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).