ADC Auth From Firebase App Hosting for Pub/Sub

hannah0 · 02-16-2025 12:03 PM

I have an Angular SSR project deployed to Firebase App Hosting. The project includes an Express server.

From my Express server code, I'm trying to authenticate to ADC to initialize a pub/sub client. I've installed and imported @Google-cloud/pubsub.

import { PubSub } from "@google-cloud/pubsub";
const pubSubClient = new PubSub({ projectId: "main-project" });

Note that the this App Hosting project is in a separate Google cloud project, called e.g. "sub-project".

The server runs fine without this PubSub initialization code, and the only intelligible error i see when i run the server is "Sorry, we cannot connect to Cloud Services without a project".

On local, I've installed gcloud, set the gcloud project to "main-project", and set the local GOOGLE_APPLICATION_CREDENTIALS env variable pointing to a service account config. The service account was created in main-project with the role "Pub/Sub Subscriber".

I've also tried hard-coding the credentials from the service account object to test, e.g.:

  // service account object from JSON key
const serviceAccountConfig = {
  type: "service_account",
  project_id: "main-project",
  private_key_id: "[sanitized]",
  private_key:
    "-----BEGIN PRIVATE KEY-----[sanitized]-----END PRIVATE KEY-----\n",
  client_email: "example_service_account@main-project.iam.gserviceaccount.com",
  client_id: "[sanitized]",
  auth_uri: "https://accounts.google.com/o/oauth2/auth",
  token_uri: "https://oauth2.googleapis.com/token",
  auth_provider_x509_cert_url: "https://www.googleapis.com/oauth2/v1/certs",
  client_x509_cert_url:
    "[sanitized]",
  universe_domain: "googleapis.com",
};
const pubSubClient = new PubSub({
  projectId: "main-project",
  credentials: {
    client_email: serviceAccountConfig.client_email,
    private_key: serviceAccountConfig.private_key,
  },
});

Same error, both on local and when deployed to app hosting.

Am I missing a step to authenticating? Is there something else I need to do to authenticate across projects?

greb

Hi @hannah0,

Welcome to Google Cloud Community!

It seems your Firebase App Hosting project (sub-project) is unable to authenticate with Pub/Sub in the main project. The message "Sorry, we cannot connect to Cloud Services without a project" indicates that the authentication is not being recognized properly.

Solution Steps

Ensure IAM Permissions
The service account from “sub-project” needs the Pub/Sub Subscriber role in “main-project”. You may run this command to grant the correct permissions:
```
gcloud projects add-iam-policy-binding main-project \
  --member=serviceAccount:firebase-adminsdk-xxx@sub-project.iam.gserviceaccount.com \
  --role=roles/pubsub.subscriber
```

Store Credentials in Firebase Runtime Config
Firebase App Hosting does not automatically use Application Default Credentials (ADC) like Cloud Functions. Instead, store the service account JSON key in Firebase this way:

firebase functions:config:set gcp.service_account="$(cat service-account.json)"
firebase deploy

In your Express Server, use:

import functions from "firebase-functions";
import { PubSub } from "@google-cloud/pubsub";

const serviceAccount = JSON.parse(functions.config().gcp.service_account);
const pubSubClient = new PubSub({
  projectId: "main-project",
  credentials: serviceAccount,
});

Verify Project Settings
Set the “projectId” explicitly in your Pub/Sub client:
```
const pubSubClient = new PubSub({ projectId: "main-project" });
```

Check if your app has access to GCP services with:

gcloud auth application-default print-access-token

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.