如果使用默认服务帐户,如何在Firebase中覆盖Google Cloud Project? (转到admin SDK)

Background

Consider the function func NewApp(ctx context.Context, config *Config, opts ...option.ClientOption) (*App, error) .

Theoretically it should be possible to override the project ID via the config parameter.

However, the problem is that when the credentials are fetched, the project ID is also determined, and this happens before the override via config (or via GOOGLE_CLOUD_PROJECT/GCLOUD_PROJECT env. variables for that matter.)

As a result, the token will be for the "default" project ID, not the overridden one.

Detailed steps

Suppose we use the "default service account" as per here:

  1. If the environment variable isn't set, ADC uses the default service account that Compute Engine, Kubernetes Engine, App Engine, and Cloud Functions provide, for applications that run on those services.

So this is what will happen in that case:

creds, err := transport.Creds(ctx, o...)

return internal.Creds(ctx, &ds)

cred, err := google.FindDefaultCredentials(ctx, ds.Scopes...)

id, _ := metadata.ProjectID() // (x) at this point we get the default project ID

func ProjectID() (string, error) { return defaultClient.ProjectID() }

func (c *Client) ProjectID() (string, error) { return projID.get(c) }

v, err = cl.Get(c.k)

val, _, err := c.getETag(suffix)

res, err := c.hc.Do(req)

In short, we get the credentials with the default project ID.

Question: Am I missing something, or is there really no way to override the project ID, when using the default service account?

Addendum: Maybe the problem is not the projectID in the credentials, but getting the bearer token with the default project ID configured there. The base question ("how to override the project") is still valid, though.

dragonsun00000
dragonsun00000 您为什么关心项目ID?获得访问令牌后,权限将基于凭据,而不是基于创建服务帐户的项目。要启用任何服务帐户(包括默认服务帐户),只需将具有所需权限(角色)的所需项目的电子邮件地址添加到IAM。
一年多之前 回复
Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问