< Back to Blog

Authenticate to firebase-admin using Google End User Credentials

Akila Dananjaya
May 29, 2022

We usually use service accounts in order to authenticate to GCP services including firebase, but it’s not an optimal solution because you have to keep your key in your local environment. So there is always a security concern if we don’t properly manage them. GCP also discourages downloading service account keys. In this post, I’m going to quickly describe how to use End User Credentials (EUC) which is so far the best option I found. This suits well when you want to authenticate to firebase in your local environment.


Firebase documentation is self-explanatory. Check this particular section in their docs to learn how to create a client secret and use glcoud CLI.


Authorize for Google APIs

If you want to access services like Firestore, you have to add necessary scopes. Check this reference to find out how to use the flag.


Example command with Firestore permissions:

Once you are authenticated, it will save credentials here:



The main advantage is that you can delete your client secret file after using gcloud auth the command. As you can see in the docs, firebase-admin can use default credentials in order to authenticate to Firebase services.


The main disadvantage is that we can’t automate the process of creating client secrets. You have to go to the GCP UI and manually create them. It’s so much better if we can automate this process because then we can plug the whole process into a Yarn/NPM script and forget about it.

gcloud CLI

According to GCP, we can use gcloud alpha iap oauth-clients command to create client id files, but it doesn’t have a flag to pass application-type which we need to set as Desktop in order to use it with Firebase.


gcloud REST API

The same issue applies to their REST API.



There is a resource called google_iap_client in Terraform. But again, we can’t pass application-type here as well.

These GCP’s tools are still in alpha/beta state and hopefully, in the future, they will add all the flags we need.

CC: Google Cloud, Google Developers

Good Luck! 🎉