Home > Software engineering >  How to provide limited access to Firebase messaging APIs?
How to provide limited access to Firebase messaging APIs?

Time:10-10

Maybe a stupid question here, but when one of the world's leading cloud providers can't manage to provide clear documentation, stupid questions ensue.

We're implementing Firebase strictly for mobile messaging. A project is created, the apps are added. Great. Now, I am looking at how a server application connects to the Firebase API to initiate push notifications.

During creation of the project Google created a firebase-adminsdk service account that the documentation says should be used for authenticating to the API by a server application. However, they provide exactly ZERO information about why I would use this account, or what functions this service account is going to allow.

My concern is that the Google created service account gives ridiculous amounts of permissions to the entire Firebase platform - or at least the entire project. I'm guessing, I don't actually know that. I DONT WANT THAT. I want to create a service account with only permissions to trigger push notifications, or other mobile messaging functionality and generate a key I can share with the application developers. I want that service account to be in addition, and to co-exist, with other service accounts that have other permissions for other specific functions.

How do I do that?

CodePudding user response:

To create a new, limited service account for only Firebase Messaging.

  • Navigate to the Google Cloud Platform Console.
  • Select your Firebase Project from the drop down at the top of the page.
  • Navigate to IAM & Identity
  • Navigate to Service Accounts
  • Create a new service account
  • Provide a name and additional details
  • For the role, choose "Firebase Cloud Messaging API Admin"
  • Complete the service account setup

Next, open the properties of this service account and create the key for the server side app to authenticate using this service account.

Permissions for the "Firebase Cloud Messaging API Admin" role are here: https://gcp.permissions.cloud/predefinedroles/firebasecloudmessaging.admin

[
    "cloudmessaging.messages.create",
    "fcmdata.deliverydata.list",
    "resourcemanager.projects.get",
    "resourcemanager.projects.list"
]

Without a doubt, the Google created firebase-adminsdk service account has FAR more permissions than it should have in a production environment for any real API usage, and it's ridiculous the documentation doesn't warn you of this.

  • Related