Allow service account access only to a subset of a Firetime Realtime Database-CodePudding

I need to have some code running on a remote server with access only to a subset of my Firebase Realtime Database.

I figured I was going to be able to create a service account with access to the database, and manage it's more detailed read/write permissions using security rules. This doesn't seem to be the case.

I do not want this service account to have any other access to my Firebase project.

Here is an example of what I thought my security rules would roughly look like:

{
  "rules": {
    "my_restricted_data": {
      "X": {
        ".read": "auth.my_service_account_id === 'X'",
        ".write": "auth.my_service_account_id === 'X'"
      }
    }
  }
}

Looking at the Google Cloud Platform roles and permissions, I can't seem to separate Firebase Realtime Database access out from other important privileges which I do not want to grant to this service.

Is there any way I can make this work?

I am using the ruby firebase https://github.com/oscardelben/firebase-ruby

Thanks!

CodePudding user response：

The library you're using wraps the Firebase REST API, which in itself can be used to access the database both as an administrative super-user and as a regular authentication user. Unfortunately the two ways to authenticate that the library offers both give administrative access to the database, without a way to specify your own UID. This means that there is no way to limit what your code can do.

I recommend filing a feature request (or a PR) on the repo to add signing in a regular user through the REST API, which will then only be allowed the access that your rules have set for it.