Reputation: 3071
Interacting with the Firebase Firestore from a separate Python script without Admin privileges
I would like to interface with the Firestore from Python in order to fetch some data in a simple script that exists outside of the main application I'm developing. Then I would like to be able to distribute that script to other employees without needing to provide them with a service account that has unlimited access to the database (because it would be a major security risk). I hope that they could authenticate by providing a username and password to the script either through env. variables or on runtime.
Is there any way to authenticate into Firestore from outside of the client application in another way than through an almighty service account?
I was thinking to just login as a regular user (somehow use the auth API just like a client does) but I couldn't find any documentation or example of that and it seems like I'd be reinventing the wheel writing a wrapper around the firebase API that could authenticate a user and fetch a collection. The same goes for writing my own endpoints for the Python script to use - seems like a huge overkill for such a simple scenario (defeats the purpose of a backend as a service).
Upvotes: 2
Views: 364
Answers (1)
Reputation: 4262
I think the easiest way to do it is with Google Cloud Function.
First step will be to create such http triggered function in any available language that will be getting as needed from Firestore. If the function is in the same project it will not need authentication at all.
Cloud function uses Google Cloud IAM to authorize. So you add members that can invoke the function. So you have to arrange access for all users you need. You can give every user role "Cloud Functions Invoker" just for this function.
Than they will be able to invoke the access from their accounts. Than if particular user has Cloud SDK (
gcloud) installed and is logged in to her/his own account, she/he can invoke the function ex. withcurl(reference):
curl https://REGION-PROJECT_ID.cloudfunctions.net/FUNCTION_NAME \ -H "Authorization: bearer $(gcloud auth print-identity-token)"
The command is the same for every user so you can make a script of it.
I think this is easiest way, I was able to such create and test such solution in about 15 minutes.
If you are using only Firebase Console, but not Google Cloud Console, that should not be a problem, as Firebase project is in fact Google Cloud Project, so you should have access to it via Google Cloud Console.
What more such solution is quite cheap. If the invocation will not count in many millions it may end in free tier or max few $ per month.
Upvotes: 1
Related Questions
- Deploying Python Script as Cloud Function with access to Cloud Firestore
- Google Firebase: Get, update or create documents using Python
- Firestore emulator with anonymous credentials
- Initializing Firestore-Admin in Flask app
- Using firestore in colab with python
- Firestore client in python (as user) using firebase_admin or google.cloud.firestore
- Cloud Firestore with python
- GCP Firestore Python Credentials
- python firestore issue with authentication
- Granular permissions in Firestore with service accounts