Firebase CLI and MCP Server both ignoring provided credentials and always falls back to system/user credentials

[BirjuVachhani]

I am trying to pass an ADC environment variable GOOGLE_APPLICATION_CREDENTIALS to override or provide per user access credentials for my service where I allow users to integrate their firebase account. This flag is completely being ignored when the a user is already logged in on the system (through firebase login). This prevents us from using the MCP server as we can't force it to use provided firebase account through GOOGLE_APPLICATION_CREDENTIALS env.

It always looks for ~/.config/configstore/firebase-tools.json and uses that if exists, ignoring provided env.

This is very frustrating as a developer as this breaks our integration completely and renders it unusable. This bug report is a request to allow and respect GOOGLE_APPLICATION_CREDENTIALS environment variable if passed, or add a flag (e.g. --force-adc, or --no-system, or --ignore-system or --ignore-user-credentials) so that we can conditionally force it to look for other places when retrieving a credential.

This affects both the regular firebase CLI tool as well as the MCP server which internally uses firebase CLI.

[REQUIRED] Environment info

firebase-tools:

15.5.1

Platform:

macOS

[REQUIRED] Test case

Try passing GOOGLE_APPLICATION_CREDENTIALS env that points to a credentials file while having a user logged in via firebase login command.

GOOGLE_APPLICATION_CREDENTIALS=<path_to_file> firebase projects:list

OR

GOOGLE_APPLICATION_CREDENTIALS=<path_to_file> npx firebase-tools@latest mcp

[REQUIRED] Steps to reproduce

1. Log in with a account using firebase login command.
2. Get credentials (ADC or service account) of a different firebase account and use it in this step.
   Pass GOOGLE_APPLICATION_CREDENTIALS env that points to a credentials file while having a user logged in via firebase login command.

GOOGLE_APPLICATION_CREDENTIALS=<path_to_file> firebase projects:list

OR

GOOGLE_APPLICATION_CREDENTIALS=<path_to_file> npx firebase-tools@latest mcp

3. Notice that it lists projects of the logged in user, not of the user with given credentials.

[REQUIRED] Expected behavior

I expect it to use given GOOGLE_APPLICATION_CREDENTIALS ideally, or have a flag to tell it to use it. e.g. --ignore-system-credentials or --force-adc or something like that.

[REQUIRED] Actual behavior

It always uses the logged in user's account ignoring provided GOOGLE_APPLICATION_CREDENTIALS env. And there is no way (none that I could find) to pass a flag or something to tell it to use GOOGLE_APPLICATION_CREDENTIALS env, not the user's config.

[aalej]

Hey, thanks for the detailed report and for sharing your feedback. At the moment, this is the documented behavior and is working as expected https://github.com/firebase/firebase-tools?tab=readme-ov-file#general. Though, I understand that it does make sense for GOOGLE_APPLICATION_CREDENTIALS to take priority over local login, making this update might be considered a breaking change since it could potentially break existing setups.

Adding a flag as you mentioned might be a good solution for this as it would allow the option to specify which auth method is going to be prioritized. For now, I’ll mark this as a feature request and I’ll discuss this with our engineers on our next sync to get their inputs on this as well.

[BirjuVachhani]

Hey, thanks for considering the request. For now I have forked the repo to make adjustments to accommodate my needs. But its falling apart as I use more and more tools that internally use firebase CLI. (e.g. flutterfire cli). Will be eagerly waiting for your next response.

[joehan]

This is a pretty good feature request, and would easily fit as a global flag. For changes like this, we do need to run it thru an internal API council (so it may take a little longer than one would expect from just implementation), but I'll drive that forward.

If you forked this - would you be down to open a PR from the fork so I work off of your change?

[BirjuVachhani]

My changes were destructive as I didn't need normal system based auth. So I can't open a PR. But here's the link to my commit that you can look at.