使用存储在 Secret Manager 中的密钥初始化 Firebase Admin SDK

Question

我正在尝试使用单独的服务帐号（即不是默认服务帐号）在 Cloud Run 应用中初始化 Firebase Admin SDK。

文档建议：

import firebase_admin
from firebase_admin import credentials

cred = credentials.Certificate("path/to/serviceAccountKey.json")
firebase_admin.initialize_app(cred)

但是，我想避免将机密打包到 Cloud Run 容器中，因此我从 Secret Manager 中检索 json 文件，并尝试创建凭据，并将其传递到：firebase_admin.initialize_app(cred)

import firebase_admin
from google.cloud import secretmanager
from google.oauth2 import service_account

# Create credentials object then initialize the firebase admin client
sec_client = secretmanager.SecretManagerServiceClient()
name = sec_client.secret_version_path(GOOGLE_CLOUD_PROJECT_NUMBER, FIREBASE_SA_SECRET_NAME, "latest")
response = sec_client.access_secret_version(name)
service_account_info = json.loads(response.payload.data.decode('UTF-8'))
creds = service_account.Credentials.from_service_account_info(service_account_info)
firebase_admin.initialize_app(creds)

收到错误：

ValueError：提供了非法的 Firebase 凭据。应用程序必须是 使用有效的凭据实例进行初始化。

感谢任何提示。

Answer 1

import firebase_admin
from google.cloud import secretmanager
from google.oauth2 import service_account

# Create credentials object then initialize the firebase admin client
sec_client = secretmanager.SecretManagerServiceClient()
name = sec_client.secret_version_path(GOOGLE_CLOUD_PROJECT_NUMBER, FIREBASE_SA_SECRET_NAME, "latest")
response = sec_client.access_secret_version(name)
service_account_info = json.loads(response.payload.data.decode('utf-8'))

# build credentials with the service account dict
creds = firebase_admin.credentials.Certificate(service_account_info)

# initialize firebase admin
firebase_app = firebase_admin.initialize_app(creds)