I have simple problem with Firebase Cloud storage rule

Question

I am not using authentication,but I have successfully sent an audio to firestorage and I am getting the download URL , I want that to be accessible to only those who have access to the URL ,but i see that with the partial URL they can access all the files and the ACCESS token is of no use as they can access the file without the access token

Answer 1

There are two important concepts in order to access to the objects in Cloud Storage

Uniform (recommended): Cloud IAM applies permissions to all the objects contained inside the bucket or groups of objects with common name prefixes

Fine-grained: You can specify access and apply permissions at both the bucket level and per individual object.

You can use the Fine-grained for enable the Access Control Lists(ACL) and set the access, you can specify the specific users and the permissions you would like them to have as per [1]. Also I recommend you take a look on this document where you can find details about how OAuth2 uses a different ACL definition than JSON or XML.[1][2]

I would like to mention that if you enable uniform bucket-level access, you have 90 days to switch back to fine-grained access before uniform bucket-level access becomes permanent. When you convert from fine-grained to uniform, Google saves your ACH for 90 days allowing you to revert back.[3] Fine-grained can be converted to Uniform without waiting 90 days.

Also you can check the recommended bucket architecture [4]

[1] https://cloud.google.com/storage/docs/access-control/lists#permissions

[2] https://cloud.google.com/storage/docs/authentication#oauth

[3] https://cloud.google.com/storage/docs/uniform-bucket-level-access#reversion

[4] https://cloud.google.com/storage/docs/access-control#recommended_bucket_architecture

Answer 2

I got it on my own

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read: if request.auth.token == true ;
      allow write;
    }
  }
}