Firebase - limit service account IAM to one db - firebase

I have a Firebase Realtime Database that I connect to from my Java application using the Admin SDK.
In my project I have multiple databases, but for administrative reasons, I want to create separate service accounts for each one. In other words, I want the service account to have full database access, but only to one particular database.
I was hoping this could be done through Google Cloud IAM but I am having trouble finding how. I tried adding giving the service account "Firebase Realtime Database Admin" permission but with a condition of Name = //mydbname.firebaseio.com but that doesn't work. That is, my Java backend is not able to connect to the database with that condition in place.
Am I on the right track, just using the wrong name? Is there a better way to do this? Thanks.

firebaser here
There currently is no way to do control access per database instance through IAM. It sounds like a reasonable feature though, so I recommend filing a feature request for it.
The best I can think of for now is to authenticate with limited privileges when you initialize the Admin SDK and then check that identity in the security rules of each instance, but that means that the code could also choose to not pass a UID, which may be exactly what you're trying to avoid.

Related

How firebase Admin SDK differs from firebase console web page?

I'm developing an android app with firebase as a backend and I heard a word named Admin SDK. I had searched for it and found it is used to manage data.
But I have a doubt that firebase provides a console webpage (console.firebase.google.com) to manage data, but why there is a separate Admin SDK?
Can someOne please explain...
The firebase admin SDK provides a simple and easy way to modify firebase settings and data using API calls.
For example, you might ask: why should you even have a regular SDK to store data? After all, you can store and save data directly from the web interface. It is, however, simply not secure or practical to have users update their own data each time using the console.
Similarly, the admin SDK is just like the regular SDK but with administrator permissions. For example, it allows you to bypass the rules set up using your firestore rules. The Firebase admin SDK is meant to be used on your backend - so you know it is running trusted software. You know that it will act the way you expect it to, unlike code running client-side that can't be trusted.
For example, let's say that you want to be able to delete a user's post if certain conditions are met. The user will make the request to your server, and it will check if the conditions are met, and then delete the post using its admin privilages. Sure you could technically automate this using firestorm rules, but those can be quite cumbersome and might not work in more complicated examples.
You can also even use it to integrate with other applications like connecting your app to a moderation tool or a curse detector that can't or shouldn't run on the client's device.
Is your question is why does Admin SDK exists?
There are several administrative tasks such as deleting users, listing collections and many more which the client cannot and should not be able to do.
Firebase Admin SDK has admin access to your Firebase project's resources.
It does not obey any security rules and can read/write any of your database, storage bucket..
That is why you must use Admin SDK in a server (or cloud function only). Although I feel Firebase Admin SDK is more useful if you use your own servers and authentication method. If you are using a custom server then:
It can be used to generate custom token so you can authenticate users using your own method (maybe legacy auth system) but still use Firebase Authentication to handle the auth tokens thereafter.
If you use your own database (and not any from Firebase), the Admin SDK can verify the ID Token sent by client and get identity of that user. Thereafter it's could be a simple if-else statement for you to decide if the user has access to the request resource or not.

Generate firebase token with scope for github actions

Is it possible to create a Firebase token using the CLI that only works for a specific project inside the account? The current way using firebase login:ci looks like it can work for all projects inside an account. I am going to use this token for specifically Github action CI work and might pass around other team members.
I have seen questions like this which was asked in 2019.
I'm planning to use the token with this action so any workaround is appreciated.
It's not possible.
When you get a login token, that token represents the user, unrelated to any projects that user might have access to.
If you want to control the per-user access to various projects, you will have to configure that in the console using IAM for each product that you are trying to control. If you give the user permission to make changes in the console, then they implicitly have permission to make the same changes from the CLI.
So you want to authenticate against Firebase to deploy a service within a CI pipeline.
And you want to scope that access to a specific project only to reduce the impact radius, if the token leaks.
firebase login:ci has (I) a too broad scope (all projects you as a user have access to) and (II) is tied to a specific person, which does not scale well if you get ever offboarded from that project...
The solution is to create a Service Account and assign it the necessary role(s).
You will need to make the Service Account key JSON file available on your CI server and set the GOOGLE_APPLICATION_CREDENTIALS respectively
The Github Action you linked provides actually the ability to authenticate via a Service Account. This means you are good to go

Assign specific role (Authentication) to a Firebase Console user

I have a Firebase app, and I want to know if it's possible to restrict a Firebase Console user to access only to the "Authorizations" tab. (to CRUD users). The access must be by the Firebase (regular) Web Console
Especially, I don't want the user to see the database data via the web console. Is that possible? I've managed to give him access to the entire project, and he can do anything I can do (is an Admin).
I haven't found nothing about this in the docs / searching.
firebaser here
Collaborators on a project currently have access to the entire Firebase Console. You can limit to having read-only access, but you currently can't limit what panels they have access to.
We've heard the request before and know this would expand the usefulness of the Firebase Console. I recommend that your file a feature request, to add your vote.

Alternative to Firebase Secret in Firebase 3.x

I need to allow my app to fetch general information available in the Database but without making the information accessible elsewhere. In other words, allowing only my app to access some data.
As far as I know, Anonymous login is not an option for me because at a later stage I am login using email and password.
Basically, I am looking for an alternative to Firebase Secret, in order to allow my app to access the data, but not make that data publicly available by making it .read": "true".
In Firebase 2.x the way to do this was using Firebase Secret, but do not know how to achieve the same access without officially login in.
There is a similar question here, but it asks whether or not it is possible rather than alternatives.
Although the Secrets are deprecated now, you can find it under Project settings -> Service accounts -> Database Secrets.
Instead of the Secret, you should use the Firebase Admin in your project.

Allow Firebase collaborators access to specific nodes

I have an app that uses Firebase and I have a few people that need to be able to update data in the Firebase Dashboard. Luckily, Firebase added the feature to add collaborators. But the problem is, I don't want these collaborators to have access to every node of the JSON. Is there a way that I can assign collaborators specific access to certain nodes of the data structure or no?
Any feedback would be great. Thanks!
Collaborators on the Firebase project/app have access to all data. There is no way to limit that.
It sounds like you are looking to add application administrator. For this you'll have to develop your own application dashboard, where you add such functionality. These application administrators are then just regular users of your app and you can use Firebase security rules to determine what data they have access to.
Very similar: Stopping accidental deletion of a firebase DB via Firebase Dashboard

Resources