Replace Firebase email/password auth with Admin SDK + GCP Workload Identity

[jcortejoso]

Summary

• Switch server-side Firebase from client SDK with email/password auth to Admin SDK with GCP Workload Identity Federation
• Eliminates long-lived credentials (FIREBASE_LOGIN_USERNAME / FIREBASE_LOGIN_PASSWORD) from Vercel
• On Vercel: uses the auto-injected OIDC token → GCP STS exchange → service account impersonation (zero stored secrets)
• Locally: falls back to Application Default Credentials (gcloud auth application-default login)

What changed

File	Change
apps/web/utils/gcp-credential.ts	New — custom Credential implementation: Vercel OIDC → GCP WIF → SA impersonation
apps/web/utils/firebase.serverside.ts	Replace firebase/compat client SDK + email/password auth with firebase-admin/app + firebase-admin/database
apps/web/package.json	Add firebase-admin, remove @firebase/app-types

GCP setup required (one-time)

Before deploying, create the Workload Identity Pool + Provider in GCP:

# 1. Create pool
gcloud iam workload-identity-pools create vercel-faucet \
  --location=global \
  --project=celo-faucet \
  --display-name="Vercel Faucet Deployments"

# 2. Create OIDC provider
gcloud iam workload-identity-pools providers create-oidc vercel-oidc \
  --location=global \
  --workload-identity-pool=vercel-faucet \
  --project=celo-faucet \
  --issuer-uri="https://oidc.vercel.com" \
  --allowed-audiences="https://vercel.com/<your-team>" \
  --attribute-mapping="google.subject=assertion.sub"

# 3. Create a service account (or reuse existing)
gcloud iam service-accounts create faucet-vercel \
  --project=celo-faucet \
  --display-name="Faucet Vercel Web"

# 4. Grant Firebase RTDB access to the SA
gcloud projects add-iam-policy-binding celo-faucet \
  --member="serviceAccount:faucet-vercel@celo-faucet.iam.gserviceaccount.com" \
  --role="roles/firebasedatabase.admin"

# 5. Allow the federated identity to impersonate the SA
gcloud iam service-accounts add-iam-policy-binding \
  faucet-vercel@celo-faucet.iam.gserviceaccount.com \
  --project=celo-faucet \
  --role=roles/iam.workloadIdentityUser \
  --member="principalSet://iam.googleapis.com/projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/vercel-faucet/*"

Vercel env vars

Add:

Variable	Value	Example
GCP_WIF_PROVIDER	Full WIF provider resource name	//iam.googleapis.com/projects/1094498259535/locations/global/workloadIdentityPools/vercel-faucet/providers/vercel-oidc
GCP_SERVICE_ACCOUNT	SA email	faucet-vercel@celo-faucet.iam.gserviceaccount.com

Remove (after deployment verified):

• FIREBASE_LOGIN_USERNAME
• FIREBASE_LOGIN_PASSWORD

Test plan

• Run GCP setup commands above
• Add GCP_WIF_PROVIDER and GCP_SERVICE_ACCOUNT env vars in Vercel
• Deploy to preview — verify /api/faucet can write to Firebase RTDB
• Verify client-side real-time status updates still work (uses separate client SDK, unchanged)
• Remove old FIREBASE_LOGIN_USERNAME / FIREBASE_LOGIN_PASSWORD from Vercel

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
faucet	Ready	Preview, Comment	Apr 20, 2026 2:22pm