Reputation: 4424
Firebase limited service account
I have a java client (Standalone app) that is using the Firebase Admin SDK, because I need to read values from the Realtime database whenever a value is changed. (A ValueChange listener is being used).
Currently I'm including the service-account.json in the app. Even if I set the roles to Viewer, using this service-account.json, I can create accounts usingFirebaseAuth.createCustomTokenAsync, which is something I dont want.
Is there a way to make a service-account with Realtime-database read only?
I know I can use setDatabaseAuthVariableOverride to "limit", but if someone extracts my service-account.json from the app/jar, they have the power to do everything..
I'm not using node.js, just Java with spring. And js firebase is a no, because I need to receive updates even without a web page.
Upvotes: 1
Views: 679
Answers (1)
Reputation: 317497
Never distribute service accounts to end users. They should only go to trusted parties.
There is currently no fine-grained way to control access to Realtime Database via service accounts. Access control is performed via Firebase Authentication client libraries, which are not available for non-Android Java clients.
Upvotes: 2
Related Questions
- data currect user on firebase android studio
- Firebase authorization and security model
- Firebase Realtime Database - Rules
- Setting up administrator rules in firebase
- Android - Firebase Level of Access
- Firebase Database Security
- Firebase admin and user account
- Firebase limits
- Firebase database authentication
- Firebase permissions