Firebase-tools: Limit access tokens to project scope

This is something we're looking into -- we want to support service account authentication to the Firebase CLI, but need to investigate how to add the capabilities to some of our legacy backends. Stay tuned!

@mbleigh we depend on google-auto-auth don't we?
https://github.com/stephenplusplus/google-auto-auth

Looks like that library can use the GOOGLE_APPLICATION_CREDENTIALS environment variable to point to a service account JSON file. That should work in many cases, right?

@samtstern @theoriginalgri Yes, we do use google-auto-auth.

I recently was working on getting GOOGLE_APPLICATION_CREDENTIALS to work, and that has been merged (#998) and released as of v6.1.0.

See the google-auto-auth readme for more details, but setting GOOGLE_APPLICATION_CREDENTIALS to a JSON file that has the credentials for a service account should work. If you are having troubles, use --debug to make sure you're seeing the errors that are being returned (I found sometimes the APIs were not enabled) and hopefully that'll help you work through them.

If you have significant issues with GOOGLE_APPLICATION_CREDENTIALS, please open a new issue with the appropriate details :)

How would you use GOOGLE_APPLICATION_CREDENTIALS in GitHub Actions for the firebase action?

Using a service account and GOOGLE_APPLICATION_CREDENTIALS is the correct way to have properly-scoped auth for CI/CD systems. For GitHub actions, the way you do this is:

1. Download a service account key in JSON form, and save it as a secret in your GitHub repo for use with actions.
2. In your GH action, print the contents of the secret with your service account into a file
3. Set the GOOGLE_APPLICATION_CREDENTIALS env variable to the location of the service account

It's a little convoluted, but that will ensure that you have limited-scope access in your CI/CD system. FWIW there is no way to scope Google OAuth refresh tokens (the --token value) to a specific project as they are user-centric credentials. Service accounts are the only way to do this.

Hi,

I've attempted to do just this @mbleigh but I'm not able to authenticate against Firebase. I always get the following:

Run ./.github/actions/firebase-deploy

Error: Failed to authenticate, have you run firebase login?
Error: Process completed with exit code 1.

Here's the tasks:

- name: Echo Google Credentials to file
        env:
          GOOGLE_APPLICATION_CREDENTIALS_JSON: ${{ secrets.GOOGLE_APPLICATION_CREDENTIALS_JSON }}
        run: |
          echo $GOOGLE_APPLICATION_CREDENTIALS_JSON > $PWD/firebase.json
          export GOOGLE_APPLICATION_CREDENTIALS=$PWD/firebase.json

      - name: Deploy to firebase
        #if: env.REF != 'master'
        uses: ./.github/actions/firebase-deploy
        env:
          GOOGLE_APPLICATION_CREDENTIALS: ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}
        with:
          ref: ${{ env.REF }}
          configuration: ${{ needs.setup.outputs.configuration }}
          file_path: ./${{ env.ANDROID_APP_NAME }}.${{ env.ANDROID_FILE_TYPE }}
          pr_branch_app_id: ${{ secrets.FIREBASE_ANDROID_PR_APP_ID }}
          develop_branch_app_id: ${{ secrets.FIREBASE_ANDROID_DEV_APP_ID }}
          master_branch_app_id: ${{ secrets.FIREBASE_ANDROID_PROD_APP_ID }}

Any help? I can't find specific examples of using the firebase-deploy action with the GOOGLE_APPLICATION_CREDENTIALS auth method.