-
Notifications
You must be signed in to change notification settings - Fork 3.9k
How to enable email enumeration protection? I'm getting Error 403 in Firebase (Google Cloud Platform) #1040
-
I'm trying to set the enumeration protection on a Firebase project, so I was following this documentation to guide me:
https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection
I have generated the access token successfully, but when I try to make a PATCH request to the following endpoint:
curl -X PATCH -d "{'email_privacy_config':{'enable_improved_email_privacy':"true"}}" \
-H 'Authorization: Bearer MY_ACCESS_TOKEN_REPLACED_HERE' \
-H 'Content-Type: application/json' \
"https://identitytoolkit.googleapis.com/admin/v2/projects/MY_PROJECT_ID_REPLACED_HERE/config?updateMask=email_privacy_config"
But for some reason, I am receiving the following error:
{
"error": {
"code": 403,
"message": "Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the identitytoolkit.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/. If you are getting this error with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes. For more information regarding 'X-Goog-User-Project' header, please check https://cloud.google.com/apis/docs/system-parameters.",
"status": "PERMISSION_DENIED",
"details": [ { "@type": "type.googleapis.com/google.rpc.ErrorInfo", "reason": "SERVICE_DISABLED", "domain": "googleapis.com", "metadata": { "consumer": "projects/618104708054", "service": "identitytoolkit.googleapis.com" } } ]
}
}I checked if the Identity Toolkit API was disabled, but it wasn't:
Identity Toolkit API Enabled on GCP
I tried to add the X-Goog-User-Project header, but it didn't work either
Does anyone know how to fix this problem?
Additional info:
I generated this access token from the Google Cloud SDK and Google Cloud console, but I was not able to find any other place to generate this access token. I believe that this is the reason, but in the GCP guide it is not clear where I can generate this access token besides the Google Cloud console mentioned.
Beta Was this translation helpful? Give feedback.
All reactions
Replies: 1 comment
-
Your issue seems to be with the authentication method you're using. The error clearly states that end-user credentials from the Google Cloud SDK or Google Cloud Shell are not supported for this operation.
Solution Steps:
-
Service Account: You'll need to create and download a service account JSON file.
- Navigate to
IAM & Admin->Service Accountsin the Google Cloud Console. - Create a new service account or use an existing one.
- Download the JSON key file.
- Navigate to
-
Set Environment Variable: Set the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable to the path of the downloaded JSON key file.export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account-file.json"
-
Generate Access Token: Use the following command to generate an access token.
gcloud auth application-default print-access-token
-
Retry CURL Request: Now try your PATCH request again using this new token.
Example:
curl -X PATCH -d "{'email_privacy_config':{'enable_improved_email_privacy':"true"}}" \ -H 'Authorization: Bearer NEW_ACCESS_TOKEN' \ -H 'Content-Type: application/json' \ "https://identitytoolkit.googleapis.com/admin/v2/projects/YOUR_PROJECT_ID/config?updateMask=email_privacy_config"
Hope this clears things up.
Beta Was this translation helpful? Give feedback.