How to enable email enumeration protection? I'm getting Error 403 in Firebase (Google Cloud Platform)

[gustavostz]

I'm trying to set the enumeration protection on a Firebase project, so I was following this documentation to guide me:

https://cloud.google.com/identity-platform/docs/admin/email-enumeration-protection

I have generated the access token successfully, but when I try to make a PATCH request to the following endpoint:

curl -X PATCH -d "{'email_privacy_config':{'enable_improved_email_privacy':"true"}}" \
    -H 'Authorization: Bearer MY_ACCESS_TOKEN_REPLACED_HERE' \
    -H 'Content-Type: application/json' \
    "https://identitytoolkit.googleapis.com/admin/v2/projects/MY_PROJECT_ID_REPLACED_HERE/config?updateMask=email_privacy_config"

But for some reason, I am receiving the following error:

{
  "error": {
    "code": 403,
    "message": "Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the identitytoolkit.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/. If you are getting this error with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes. For more information regarding 'X-Goog-User-Project' header, please check https://cloud.google.com/apis/docs/system-parameters.",
    "status": "PERMISSION_DENIED",
    "details": [      {        "@type": "type.googleapis.com/google.rpc.ErrorInfo",        "reason": "SERVICE_DISABLED",        "domain": "googleapis.com",        "metadata": {          "consumer": "projects/618104708054",          "service": "identitytoolkit.googleapis.com"        }      }    ]
  }
}

I checked if the Identity Toolkit API was disabled, but it wasn't:

I tried to add the X-Goog-User-Project header, but it didn't work either

Does anyone know how to fix this problem?

Additional info:
I generated this access token from the Google Cloud SDK and Google Cloud console, but I was not able to find any other place to generate this access token. I believe that this is the reason, but in the GCP guide it is not clear where I can generate this access token besides the Google Cloud console mentioned.

[ryanmio]

Your issue seems to be with the authentication method you're using. The error clearly states that end-user credentials from the Google Cloud SDK or Google Cloud Shell are not supported for this operation.

Solution Steps:

1. Service Account: You'll need to create and download a service account JSON file.

   • Navigate to IAM & Admin -> Service Accounts in the Google Cloud Console.
   • Create a new service account or use an existing one.
   • Download the JSON key file.

2. Set Environment Variable: Set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of the downloaded JSON key file.

   export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account-file.json"

3. Generate Access Token: Use the following command to generate an access token.

   gcloud auth application-default print-access-token

4. Retry CURL Request: Now try your PATCH request again using this new token.

Example:

curl -X PATCH -d "{'email_privacy_config':{'enable_improved_email_privacy':"true"}}" \
    -H 'Authorization: Bearer NEW_ACCESS_TOKEN' \
    -H 'Content-Type: application/json' \
    "https://identitytoolkit.googleapis.com/admin/v2/projects/YOUR_PROJECT_ID/config?updateMask=email_privacy_config"

Hope this clears things up.