Unable to assign iam.serviceAccounts.signBlob permission

The sign feature of a service account requires the iam.serviceAccounts.signBlob permission. This permission is included in the Service Account Token role roles/iam.serviceAccountTokenCreator

You can assign this role at the "project" level or at the "service account" level. This is why you see different results. Assigning roles at the project level affects permissions for all service accounts. Assigning roles at the service account only affects that service account.

The key to your problem is that the caller does not have this role on service account [email protected]. You have given the service account permission and NOT the caller. Look into your code for the service account that you used to setup the Firebase SDK.

Firebase mentions about this error on its docs:


You must initialize your app correctly through a JSON config file.

A simple fix would be:

  1. Go to https://console.cloud.google.com/iam-admin/iam?project=PROJECT_NAME
  2. Edit your default service account.
  3. Add the role Service Account Token Creator

In a few minutes your project will be able to create signed tokens.