Reputation: 50
How to apply firebase storage rule so only Google cloud run API can write?
My goal is to block any write requests that don't come directly from my API in google cloud run.
I think my firebase Web API key from the general project settings could help but I can't find the right storage rule that can do this.
I found the storage rule for authenicated users etc but I don't use firebase authentication. Instead I authenticate users in the API that is hosted in google cloud run.
I think it is in this direction but please correct me if I am wrong.
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read: if true;
allow write: if request comes from my API with the Web API key;
}
}
}
sources:
https://firebase.google.com/docs/storage/security/rules-conditions
https://firebase.google.com/docs/storage/gcp-integration
Upvotes: 0
Views: 248
Answers (1)
Reputation: 599176
There is no way to check what API key is used in the call to Cloud Storage.
But access from Cloud Run usually happens through one of the GCP SDKs/APIs and those access the project with administrative privileges and bypass your security rules altogether.
So you might as well deny all write access from untrusted clients with:
allow write: if false;
Upvotes: 1
Related Questions
- How can give access to read but not write in firebase firestore settting rules
- firebase cloud storage restrict read of access token
- Security rule to limit storage space used in Firebase Storage?
- Firebase Cloud Firestore security rules only allow read not write
- Cloud Firestore Security Rules allow write only from Firebase function
- Set firebase storage to write only
- read only firebase storage rules tab
- Firebase Storage Rules, how to write in specific folder?
- Firestore which rule for read only from Android app and write using API KEY?
- firebase storage rule doesn't work