In my front-end, I'm using the Firebase authentication and the firebaseAuth.currentUser?.getIdToken(true) function to get the token and send it as an Authorization: Bearer {token} header to the Google function.

I used to parse the token in the function and validate it within the function code. But I want to enable the Require authentication setting for it. The problem is that I receive the Your client does not have permission to the requested URL error in this case.

I tried to set the allAuthenticatedUsers, {project}@appspot.gserviceaccount and firebase-service-account@firebase-sa-management.iam.gserviceaccount principals with Cloud Functions Invoker role, but it did not help.

Is there any way I can do so Require Authentication is enabled, and GC allows to execute the function only for the users authenticated with the Firebase?

In my front-end, I'm using the Firebase authentication and the firebaseAuth.currentUser?.getIdToken(true) function to get the token and send it as an Authorization: Bearer {token} header to the Google function.

I used to parse the token in the function and validate it within the function code. But I want to enable the Require authentication setting for it. The problem is that I receive the Your client does not have permission to the requested URL error in this case.

I tried to set the allAuthenticatedUsers, {project}@appspot.gserviceaccount and firebase-service-account@firebase-sa-management.iam.gserviceaccount principals with Cloud Functions Invoker role, but it did not help.

Is there any way I can do so Require Authentication is enabled, and GC allows to execute the function only for the users authenticated with the Firebase?

• firebase
• google-cloud-platform
• firebase-authentication
• google-cloud-functions
• authorization

Share Improve this question Follow asked Nov 19, 2024 at 10:12 domanskyidomanskyi 75311 gold badge99 silver badges2121 bronze badges 1

• I doubt that the tokens you generate with firebase are compatible with what cloud functions expect, see cloud.google/functions/docs/securing/… and compare it with firebase.google/docs/auth/admin/verify-id-tokens The audience and sub fields have a completely different content. – somethingsomething Commented Nov 19, 2024 at 14:48

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 2

Google Cloud IAM roles, such as "allAuthenticatedUsers" and service accounts, have nothing at all to do with Firebase Authentication user ID tokens. They aren't compatible with each other and are not interchangeable in any way. You can't simply replace your code to validate a Firebase Auth token with IAM permissions.

The only way to implement Firebase Auth token validation is using code you write, typically with the Firebase Admin SDK.