We usually use service accounts in order to authenticate to GCP services including firebase, but it’s not an optimal solution because you have to keep your key in your local environment. So there is always a security concern if we don’t properly manage them. GCP also discourages downloading service account keys. In this post, I’m going to quickly describe how to use End User Credentials (EUC) which is so far the best option I found. This suits well when you want to authenticate to firebase in your local environment.

‍

How?

Firebase documentation is self-explanatory. Check this particular section in their docs to learn how to create a client secret and use glcoud CLI.

https://firebase.google.com/docs/admin/setup#testing_with_gcloud_end_user_credentials

‍

Authorize for Google APIs

If you want to access services like Firestore, you have to add necessary scopes. Check this reference to find out how to use the flag.

https://cloud.google.com/sdk/gcloud/reference/auth/application-default/login#--scopes

Example command with Firestore permissions:
‍

Once you are authenticated, it will save credentials here:

$HOME/.config/gcloud/application_default_credentials.json

‍

Advantages

The main advantage is that you can delete your client secret file after using gcloud auth the command. As you can see in the docs, firebase-admin can use default credentials in order to authenticate to Firebase services.

‍

Disadvantages

The main disadvantage is that we can’t automate the process of creating client secrets. You have to go to the GCP UI and manually create them. It’s so much better if we can automate this process because then we can plug the whole process into a Yarn/NPM script and forget about it.

‍

gcloud CLI

According to GCP, we can use gcloud alpha iap oauth-clients command to create client id files, but it doesn’t have a flag to pass application-type which we need to set as Desktop in order to use it with Firebase.

https://cloud.google.com/iap/docs/programmatic-oauth-clients

‍