How to enable Google Sign-In for Firebase Auth via gcloud CLI / firebase CLI?
I'm trying to fully automate Firebase Auth provider setup via CLI (no manual Firebase Console clicks).
Using this SA token, I can successfully:
- Initialize Firebase Auth:
POST /v2/projects/{PROJECT}/identityPlatform:initializeAuth - Enable email/password:
PATCH /v2/projects/{PROJECT}/config?updateMask=signIn.email.enabled - Enable Apple Sign-In:
POST /v2/projects/{PROJECT}/defaultSupportedIdpConfigs?idpId=apple.com - Update authorized domains:
PATCH /v2/projects/{PROJECT}/config?updateMask=authorizedDomains
But Google Sign-In requires an OAuth 2.0 Web Client ID + Secret, and I can't find any CLI way to create those.
What I've tried
Attempt 1: Firebase CLI — no auth provider management exists
$ firebase --help 2>&1 | grep -i auth
auth:export [options] [dataFile] export accounts from your Firebase project
auth:import [options] [dataFile] import users into your Firebase project
Firebase CLI only has auth:export and auth:import for user data. No commands to manage sign-in providers.
Attempt 2: gcloud CLI — no identity-platform commands exist
$ gcloud identity-platform config describe --project=my-project
ERROR: (gcloud) Invalid choice: 'identity-platform'.
$ gcloud alpha identity-platform config describe --project=my-project
ERROR: (gcloud.alpha) Invalid choice: 'identity-platform'.
$ gcloud firebase --help
# Only has "test" subcommand (Firebase Test Lab). No auth management.
Attempt 3: REST API — create google.com IDP (no credentials)
curl -s -X POST \
-H "Authorization: Bearer $SA_TOKEN" \
-H "Content-Type: application/json" \
'https://identitytoolkit.googleapis.com/v2/projects/my-project/defaultSupportedIdpConfigs?idpId=google.com' \
-d '{"enabled":true}'
Error:
{
"error": {
"code": 400,
"message": "INVALID_CONFIG : client_id cannot be empty.",
"status": "INVALID_ARGUMENT"
}
}
Attempt 4: REST API — with clientId but empty clientSecret
curl -s -X POST \
-H "Authorization: Bearer $SA_TOKEN" \
-H "Content-Type: application/json" \
'https://identitytoolkit.googleapis.com/v2/projects/my-project/defaultSupportedIdpConfigs?idpId=google.com' \
-d '{"enabled":true,"clientId":"test","clientSecret":""}'
Error:
{
"error": {
"code": 400,
"message": "INVALID_CONFIG : client_secret cannot be empty.",
"status": "INVALID_ARGUMENT"
}
}
Attempt 5: Admin v2 endpoint
curl -s -X POST \
-H "Authorization: Bearer $SA_TOKEN" \
-H "Content-Type: application/json" \
'https://identitytoolkit.googleapis.com/admin/v2/projects/my-project/defaultSupportedIdpConfigs?idpId=google.com' \
-d '{"enabled":true}'
Same error: INVALID_CONFIG : client_id cannot be empty.
Attempt 6: Create OAuth consent screen brand via IAP API
curl -s -X POST \
-H "Authorization: Bearer $SA_TOKEN" \
-H "Content-Type: application/json" \
'https://iap.googleapis.com/v1/projects/MY_PROJECT_NUMBER/brands' \
-d '{"applicationTitle":"my-project","supportEmail":"user@example.com"}'
Error:
{
"error": {
"code": 400,
"message": "Project must belong to an organization.",
"status": "INVALID_ARGUMENT"
}
}
Attempt 7: gcloud iam oauth-clients (wrong type)
$ gcloud iam oauth-clients list --project=my-project --location=global
Listed 0 items.
This manages Workforce Identity Federation OAuth clients, not the Google Cloud Console OAuth 2.0 Client IDs that Firebase Google Sign-In requires.
Attempt 8: v3 Identity Toolkit API (deprecated)
# GET works (read-only)
curl -s -H "Authorization: Bearer $SA_TOKEN" \
'https://www.googleapis.com/identitytoolkit/v3/relyingparty/getProjectConfig'
# Returns: {"projectId":"...","authorizedDomains":["..."]}
# SET is 404 (removed)
curl -s -X POST -H "Authorization: Bearer $SA_TOKEN" \
-H "Content-Type: application/json" \
'https://www.googleapis.com/identitytoolkit/v3/relyingparty/setProjectConfig' \
-d '{"idpConfig":[{"provider":"GOOGLE","enabled":true}]}'
# Returns: 404 Not Found
Question
How can I programmatically create OAuth 2.0 Web Client credentials for a Firebase/GCP project (not in a GCP organization) to enable Google Sign-In via the Identity Toolkit REST API? Is there a CLI or REST API I'm missing?