Firebase Cloud Function HTTP Request Authorization

Question

I have a scenario where I need to do a secure request a Firebase Cloud Function from an external server using a HTTP request. In order to request it I need to send a bearer JWT token on the authorization header. After sometime looking at the Google documents to Firebase/GCP I've found many different ways to authenticate using google different APIs, but I'm kinda lost on it.

I know that I need to use a service account in order to identify the machine that is calling instead a common human-user credentials. I also know that the service account provides a JSON file that contains secure information to identify that service account, like the private key. By looking different docs I found this one that explains how to generate and request a token. After following those steps, I'm facing a 403 status when I try to call the cloud function using the resulting token.

I doubled checked the roles my service account has and I do have the ones the docs have pointed me.

Does anyone knows or have any suggestions how to proceed to have cloud function authorized calls by a machine (not human) interaction.

Edit 1:

As requested here I'm posting my JWT generator code:

const {
  private_key_id,
  private_key,
  client_email,
} = require('./serviceAccount.json');

const jwt = require('jsonwebtoken');

const payload = {
  "kid": private_key_id,
  "iss": client_email,
  "sub": client_email,
  "iat": 1611257400,
  "exp": 1611260940,
  "aud": "https://oauth2.googleapis.com/token",
  "target_audience": "https://<project- region>.cloudfunctions.net/helloWorld"
};

const token = jwt.sign(payload, private_key, { algorithm: 'RS256', header: {"alg":"RS256","typ":"JWT"} });

console.log(token);

With the result token from above I'm sending a POST request to https://oauth2.googleapis.com/token where the token is sent as the assertion field on a form data.

After suggestions here I did some research and found this blog with instructions to generate a Identity token using my service account. So I ran:

# Load the service account identity
gcloud auth activate-service-account --key-file=key.json
# Generate an id token
gcloud auth print-identity-token

The resulting token gave me the same result a 403 - Forbidden error. The interesting part is that using my user credentials and using gcloud to generate an identity token I was able to request the Cloud function with a 200 result.

I'm thinking that I'm missing some sort of role/privilege/scope on my service account configuration.

question from:https://stackoverflow.com/questions/65837253/firebase-cloud-function-http-request-authorization

Answer 1

Make sure that the service account has assigned the cloudfunctions.functions.invoke in order to guarantee that the Cloud Function can be triggered from an external server using an HTTP request.