0

I'm using firebase cloud functions to run a REST API, and I have a firebase repo set up via firebase init.

Right now I'm having to manually go into the web console to change the permissions on each firebase function, but I was wondering if there's a way I can write a rules file that will automatically set permissions on deployment via firebase CLI.

From research I see that you can do this with the database.rules.json for the DB and firestore.rules / storage.rules for each of the respective resources. But I can't see any equivalent functions.rules nor have I been able to find answers in documentation for this.

(These rule files are documented - https://firebase.google.com/docs/rules/manage-deploy) but I haven't been able to find any equivalent documentation yet for functions.

Marc Anthony B
  • 3,635
  • 2
  • 4
  • 19
Royalelk
  • 11
  • 3

1 Answers1

1

For your use-case, you could use Admin SDK for you to implement it on your cloud function. See sample code below:

const source = `service cloud.firestore {
    match /databases/{database}/documents {
      match /carts/{cartID} {
        allow create: if request.auth != null && request.auth.uid == request.resource.data.ownerUID;
        allow read, update, delete: if request.auth != null && request.auth.uid == resource.data.ownerUID;
      }
    }
  }`;
  // Alternatively, load rules from a file
  // const fs = require('fs');
  // const source = fs.readFileSync('path/to/firestore.rules', 'utf8');

await admin.securityRules().releaseFirestoreRulesetFromSource(source);

For Firebase Storage, you can use releaseStorageRulesetFromSource().

It's up to you how to use it to implement whatever you're trying to achieve.

For more guidance and information, you may check these documentation:

Marc Anthony B
  • 3,635
  • 2
  • 4
  • 19
  • Thanks for the response - I've looked through that documentation and I'm confused by two things. First of all, where would that code live? I was hoping to have these rule updates be triggered on the deployment via CLI - would I make another function that is triggered by function deployment? I also wasn't able to find examples of using it for cloud functions - the example above is for firestore, and when I look up the documentation for the admin SDK / security I see information on security rules for firebase, firestore, and storage - but not cloud functions. Am I missing something? – Royalelk Jun 16 '22 at 04:04
  • You just have to install the Admin SDK package and create a function for your ruleset. As I mentioned. It's up to you how to implement it and yes, you could make another function that is triggered by function development. For Admin SDK, you could set Firebase Firestore Rules and Firebase FIrestore Storage Rules. I've added to my answer a documentation for the Security Rules class which you can refer to. I think you are confused about the cloud functions. Cloud functions don't have any ruleset. Its security relies by using IAM Roles and Service Accounts permissions. – Marc Anthony B Jun 17 '22 at 02:24
  • Is your question concerned about the security of the cloud functions? Firebase functions can be set as authorized or unauthorized execution upon deployment. If you set it to be unauthorized then the endpoint can be triggered by anyone who knows the endpoint. If it's set to be authorized then the caller should be authenticated first before calling the endpoint. It relies on you IAM Roles and Service Accounts permissions. – Marc Anthony B Jun 17 '22 at 02:35
  • Marc - By default, firebase cloud functions are not exposed to the internet - you'll get a 401 unless you go into their permissions and allow for allUsers to invoke them. Right now, every time I write a new function I have to go into my firebase console and manually change the setting to expose it to the internet (I am handling the auth inside the functions themselves). I'm not concerned with the security of them - I just want to be able to use them as a REST api without manually changing permissions. I'm aware you can set rules for firestore and storage, but you can't for cloud functions. – Royalelk Jun 18 '22 at 03:40
  • I'm also very familiar with IAM roles (at least from AWS) - but I can't find any documentation on how I would apply an IAM ruleset to a firebase cloud function. I know you can do so in GCP, but firebase appears to abstract away this part of cloud functions - is there any way for me to get under the hood? I'd love to be able to write this as an IAM instead for the permission - I just can't find an option to set up IAM in firebase for cloud functions anywhere. – Royalelk Jun 18 '22 at 03:42
  • Please check this [thread](https://stackoverflow.com/questions/60217947/gcp-how-to-grant-a-role-to-a-service-account-on-a-firestore-collection/60218004#60218004) and see if it helps. – Marc Anthony B Jun 21 '22 at 00:36