I need to have some code running on a remote server with access only to a subset of my Firebase Realtime Database.
I figured I was going to be able to create a service account with access to the database, and manage it's more detailed read/write permissions using security rules. This doesn't seem to be the case.
I do not want this service account to have any other access to my Firebase project.
Here is an example of what I thought my security rules would roughly look like:
{
"rules": {
"my_restricted_data": {
"X": {
".read": "auth.my_service_account_id === 'X'",
".write": "auth.my_service_account_id === 'X'"
}
}
}
}
Looking at the Google Cloud Platform roles and permissions, I can't seem to separate Firebase Realtime Database access out from other important privileges which I do not want to grant to this service.
Is there any way I can make this work?
I am using the ruby firebase https://github.com/oscardelben/firebase-ruby
Thanks!
CodePudding user response:
The library you're using wraps the Firebase REST API, which in itself can be used to access the database both as an administrative super-user and as a regular authentication user. Unfortunately the two ways to authenticate that the library offers both give administrative access to the database, without a way to specify your own UID. This means that there is no way to limit what your code can do.
I recommend filing a feature request (or a PR) on the repo to add signing in a regular user through the REST API, which will then only be allowed the access that your rules have set for it.