SigningError with Firebase getSignedUrl()

The answer has to do with Cloud Identity and Access Management. First, go to your Google Cloud Platform IAM & admin page. You'll see various service accounts. Look for the service account that looks like [email protected]. It should say App Engine default service account in the Name column. (If an error message referenced a different service account, find that service account.)

In the Role column, you may or not see some roles. If you're getting a SigningError message, the Role column is missing the role Service Account Token Creator. Check the checkbox to the left of [email protected] to select the service account, and then click the pencil to the right to edit it. In the next screen, click +ADD ANOTHER ROLE. Scroll down to Service Accounts, select Service Account Token Creator, and save. Now you should see Service Account Token Creator in the Roles column for App Engine default service account. Now you have permission to create signed tokens.

Next, repeat these steps and add a role for Storage Object Creator. This will allow you to run getSignedURL().

You could save alternatively assign Service Account Admin and Storage Admin, which include the Service Account Token Creator and Storage Object Creator roles respectively, plus other roles.

Now, if you instead got a SingingError message, it might be because you're warbling Bruce Springsteen's "Glory Days" out of tune. :-)


In my case I had enable Identity and Access Management (IAM), the url is the following one:

https://console.developers.google.com/apis/api/iam.googleapis.com/overview?project="YOUR PROJECT NAME"