如何在不同的项目中使用具有ServiceAccount凭据的Firebase Admin SDK？_Firebase_Google Cloud Platform_Firebase Admin_Google Iam

如何在不同的项目中使用具有ServiceAccount凭据的Firebase Admin SDK？

firebase google-cloud-platform

如何在不同的项目中使用具有ServiceAccount凭据的Firebase Admin SDK？,firebase,google-cloud-platform,firebase-admin,google-iam,Firebase,Google Cloud Platform,Firebase Admin,Google Iam,我有两个谷歌云平台项目——让我们称它们为proj-a和proj-b。我在proj-a中创建了一个GCP ServiceAccount，它试图访问在proj-b上运行的Firebase身份验证管理的用户对象 ServiceAccount已在Firebase项目上分配了Firebase身份验证管理员Google Cloud IAM角色以下代码段的输出看起来很有希望： import firebase_admin from firebase_admin import auth app = fireb

我有两个谷歌云平台项目——让我们称它们为

proj-a

和

proj-b

。我在

proj-a

中创建了一个GCP ServiceAccount，它试图访问在

proj-b

上运行的Firebase身份验证管理的用户对象

ServiceAccount已在Firebase项目上分配了

Firebase身份验证管理员

Google Cloud IAM角色

以下代码段的输出看起来很有希望：

import firebase_admin
from firebase_admin import auth

app = firebase_admin.initialize_app(options={"projectId": "proj-b"})
print(f"app: {app.project_id}")
print(f"creds: {app.credential.project_id}")

但是，当我现在调用

auth.get\u user（“some id”）

时，我得到一条错误消息：

Identity Toolkit API以前没有在project{PROD\u A}中使用，或者它被禁用。

当然，由于Firebase在

proj-b

上运行，因此在

proj-A

上没有启用Identity Toolkit。如何让它运行？ServiceAccount位于

proj-a

中，因为后端的大多数其他组件都位于该位置。因此，在

proj-b

中定义ServiceAccount对我来说不是一个可接受的解决方案

完整（清洁）堆栈跟踪如下：

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/_user_mgt.py", line 397, in get_user
    response = self._client.request('post', 'getAccountInfo', json=payload)
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/auth.py", line 514, in request
    resp.raise_for_status()
  File "/usr/local/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://www.googleapis.com/identitytoolkit/v3/relyingparty/getAccountInfo

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/auth.py", line 230, in get_user
    response = user_manager.get_user(uid=uid)
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/_user_mgt.py", line 400, in get_user
    self._handle_http_error(INTERNAL_ERROR, msg, error)
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/_user_mgt.py", line 545, in _handle_http_error
    raise ApiCallError(code, msg, error)
firebase_admin._user_mgt.ApiCallError: Failed to get user by user ID: some-id.
Server response: {
  "error": {
    "code": 403,
    "message": "Identity Toolkit API has not been used in project {PROJECT_NUM_OF_PROD_A} before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/identitytoolkit.googleapis.com/overview?project={PROJECT_NUM_OF_PROD_A} then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.",
    "errors": [
      {
        "message": "Identity Toolkit API has not been used in project {PROJECT_NUM_OF_PROD_A} before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/identitytoolkit.googleapis.com/overview?project={PROJECT_NUM_OF_PROD_A} then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.",
        "domain": "usageLimits",
        "reason": "accessNotConfigured",
        "extendedHelp": "https://console.developers.google.com"
      }
    ],
    "status": "PERMISSION_DENIED"
  }
}


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/auth.py", line 233, in get_user
    raise AuthError(error.code, str(error), error.detail)
firebase_admin.auth.AuthError: Failed to get user by user ID: some-id.
Server response: {
  "error": {
    "code": 403,
    "message": "Identity Toolkit API has not been used in project {PROJECT_NUM_OF_PROD_A} before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/identitytoolkit.googleapis.com/overview?project=543111740960 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.",
    "errors": [
      {
        "message": "Identity Toolkit API has not been used in project {PROJECT_NUM_OF_PROD_A} before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/identitytoolkit.googleapis.com/overview?project=543111740960 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.",
        "domain": "usageLimits",
        "reason": "accessNotConfigured",
        "extendedHelp": "https://console.developers.google.com"
      }
    ],
    "status": "PERMISSION_DENIED"
  }
}

回溯（最近一次呼叫最后一次）：
文件“/usr/local/lib/python3.7/site packages/firebase\u admin/\u user\u mgt.py”，第397行，在get\u user中
response=self.\u client.request（'post'，'getAccountInfo'，json=payload）
文件“/usr/local/lib/python3.7/site packages/firebase_admin/auth.py”，第514行，在请求中
针对_状态的相应提升_（）
文件“/usr/local/lib/python3.7/site packages/requests/models.py”，第940行，处于raise_for_状态
引发HTTPError（http\u error\u msg，response=self）
requests.exceptions.HTTPError:403客户端错误：url禁止：https://www.googleapis.com/identitytoolkit/v3/relyingparty/getAccountInfo
在处理上述异常期间，发生了另一个异常：
回溯（最近一次呼叫最后一次）：
文件“/usr/local/lib/python3.7/site packages/firebase\u admin/auth.py”，第230行，在get\u user中
response=user\u manager.get\u user（uid=uid）
文件“/usr/local/lib/python3.7/site packages/firebase\u admin/\u user\u mgt.py”，第400行，在get\u user中
self.\u handle\u http\u错误（内部错误、消息、错误）
文件“/usr/local/lib/python3.7/site packages/firebase\u admin/\u user\u mgt.py”，第545行，在http\u错误中
引发ApiCallError（代码、消息、错误）
firebase_admin._user_mgt.ApiCallError:无法通过用户ID:some-ID获取用户。
服务器响应：{
“错误”：{
“代码”：403，
“消息”：“Identity Toolkit API以前未在项目{project_NUM_OF_PROD_A}中使用，或已被禁用。请访问https://console.developers.google.com/apis/api/identitytoolkit.googleapis.com/overview?project={PROJECT_NUM_OF_PROD_A}然后重试。如果您最近启用了此API，请等待几分钟，让操作传播到我们的系统，然后重试。“，
“错误”：[
{
“消息”：“Identity Toolkit API以前未在项目{project_NUM_OF_PROD_A}中使用，或已被禁用。请访问https://console.developers.google.com/apis/api/identitytoolkit.googleapis.com/overview?project={PROJECT_NUM_OF_PROD_A}然后重试。如果您最近启用了此API，请等待几分钟，让操作传播到我们的系统，然后重试。“，
“域”：“usageLimits”，
“原因”：“accessNotConfigured”，
“扩展帮助”：https://console.developers.google.com"
}
],
“状态”：“权限被拒绝”
}
}
在处理上述异常期间，发生了另一个异常：
回溯（最近一次呼叫最后一次）：
文件“”，第1行，在
文件“/usr/local/lib/python3.7/site packages/firebase\u admin/auth.py”，第233行，在get\u user中
raise AuthError（error.code、str（error）、error.detail）
firebase_admin.auth.AuthError:无法按用户ID:some-ID获取用户。
服务器响应：{
“错误”：{
“代码”：403，
“消息”：“标识工具包API未在项目{project_NUM_OF_PROD_A}中使用”之前或已禁用。请访问以启用它https://console.developers.google.com/apis/api/identitytoolkit.googleapis.com/overview?project=543111740960 然后重试。如果您最近启用了此API，请等待几分钟，让操作传播到我们的系统，然后重试。“，
“错误”：[
{
“消息”：“标识工具包API未在项目{project_NUM_OF_PROD_A}中使用”之前或已禁用。请访问以启用它https://console.developers.google.com/apis/api/identitytoolkit.googleapis.com/overview?project=543111740960 然后重试。如果您最近启用了此API，请等待几分钟，让操作传播到我们的系统，然后重试。“，
“域”：“usageLimits”，
“原因”：“accessNotConfigured”，
“扩展帮助”：https://console.developers.google.com"
}
],
“状态”：“权限被拒绝”
}
}

更新firebase管理客户端库后更新正如@Hiranya Jayathilaka提到的，我没有运行最新版本的firebase admin SDK。从版本2.14.0更新到3.2.1后，应用程序似乎连接到了正确的项目，但我仍然收到一个权限拒绝错误。我检查了proj_b上使用过的ServiceAccount的权限，甚至给了它roles/firebase.admin以及roles/editor，以确保我不缺少任何必要的权限

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/_user_mgt.py", line 479, in get_user
    'post', '/accounts:lookup', json=payload)
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/_http_client.py", line 113, in body_and_response
    resp = self.request(method, url, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/_http_client.py", line 105, in request
    resp.raise_for_status()
  File "/usr/local/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://identitytoolkit.googleapis.com/v1/projects/{PROJECT_ID_OF_PROD_B}/accounts:lookup

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/auth.py", line 268, in get_user
    response = user_manager.get_user(uid=uid)
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/_user_mgt.py", line 481, in get_user
    raise _auth_utils.handle_auth_backend_error(error)
firebase_admin.exceptions.PermissionDeniedError: Error while calling Auth service (Identity Toolkit API has not been used in project {PROJECT_NUM_OF_PROD_A} before or it is disabled. Enable it by visiting https). //console.developers.google.com/apis/api/identitytoolkit.googleapis.com/overview?project={PROJECT_NUM_OF_PROD_A} then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.

回溯（最近一次呼叫最后一次）：
文件“/usr/local/lib/python3.7/site packages/firebase\u admin/\u user\u mgt.py”，第479行，在get\u user中
'post'，'/accounts:lookup'，json=payload）
文件“/usr/local/lib/python3.7/site packages/firebase\u admin/\u http\u client.py”，第113行，在正文和答复中
resp=self.request（方法、url、**kwargs）
请求中的文件“/usr/local/lib/python3.7/site packages/firebase\u admin/\u http\u client.py”，第105行
针对_状态的相应提升_（）
文件“/usr/local/lib/python3.7/site packages/requests/models.py”，第940行，处于raise_for_状态
引发HTTPError（http\u error\u msg，response=self）
requests.exceptions.HTTPErr
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/_user_mgt.py", line 479, in get_user
    'post', '/accounts:lookup', json=payload)
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/_http_client.py", line 113, in body_and_response
    resp = self.request(method, url, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/_http_client.py", line 105, in request
    resp.raise_for_status()
  File "/usr/local/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://identitytoolkit.googleapis.com/v1/projects/{PROJECT_ID_OF_PROD_B}/accounts:lookup

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/auth.py", line 268, in get_user
    response = user_manager.get_user(uid=uid)
  File "/usr/local/lib/python3.7/site-packages/firebase_admin/_user_mgt.py", line 481, in get_user
    raise _auth_utils.handle_auth_backend_error(error)
firebase_admin.exceptions.PermissionDeniedError: Error while calling Auth service (Identity Toolkit API has not been used in project {PROJECT_NUM_OF_PROD_A} before or it is disabled. Enable it by visiting https). //console.developers.google.com/apis/api/identitytoolkit.googleapis.com/overview?project={PROJECT_NUM_OF_PROD_A} then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.