Firebase Firestore Security Rules for Backend Service

Question

I currently have a GCP/Firestore Cloud Function writing to Firestore. And a NuxtJS client reading from said Firestore DB.

My NuxtJS client does not use user-based authentication. It is a news site that shows publicly available information.

I'm trying to configure the Firestore security rules to only allow reading/writing/updating from applications with an active service account for this Firebase project.

Currently, I'm getting an error on my client that says FirebaseError: Missing or insufficient permissions.

I have verified that the service accounts in question are still active and have the appropriate permissions.

I'm guessing that I'm missing something in my security rules.

My current security rules are as follows:

    service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
allow read, write: if request.auth != null;    }
  }
}

Any direction is greatly appreciated.

Answer 1

I'm trying to configure the Firestore security rules to only allow reading/writing/updating from applications with an active service account for this Firebase project.

The security rules are effective on requests made using the Firebase Client SDKs only. The Admin SDK which uses a service account bypasses all security rules and has complete access to your Firebase project. Since the users don't have to login in your application, you can set all the permissions to false:

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if false;    
    }
  }
}

With these rules, only the Admin SDK can make requests to Firestore. If you are using runtime config to store your credentials, make sure the service account is in private so it can be access on server side only.