Reputation: 145
How to get Firestore rules working with service accounts
As written in Firestore documentation here I have a security rule like this:
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
allow read, update, delete: if request.auth.uid == userId;
allow create: if request.auth.uid != null;
}
}
}
this rule works when I get authenticated with client library but not when I use server library as written in firebase documentation
Note: The server client libraries bypass all Cloud Firestore Security Rules and instead authenticate through Google Application Default Credentials. If you are using the server client libraries or the REST or RPC APIs, make sure to set up Cloud Identity and Access Management for Cloud Firestore.
How to replicate this security rule to service accounts roles?
Upvotes: 5
Views: 4190
Answers (1)
Reputation: 317392
Code that uses the Firebase Admin SDK with a service account to access Firestore currently can not be scoped to a particular user ID for the purpose of enforcing security rules. All access with the Admin SDK will bypass security rules and have full control of the database.
Note that this is different than Realtime Database, which does have such a feature.
Upvotes: 12
Related Questions
- Firestore: userId rule
- Define the right Firestore Security Rules
- Firestore rules for creating a user
- firebase rule with cloud firestore
- Setup Firestore User Security Rule
- Firestore service rules for service account
- Firebase Cloud Firestore Database Rules data access denied
- Firestore Database Rules for User
- How to setup Firestore security rules correctly
- Firestore rules not working for userId