I am using firebase realtime database. Sometimes denies appear on the monitor rules page. I can't find which child has access denied. There doesn't seem to be a problem with the code. The security rules look fine too.
today I ran this code "firebase database:profile" and "firebase database:profile -o, --output filename" in terminal and created a profile today. All values in the Permission Denied column in the profile output are zero. but 67 denies appear on the monitor rules page from the browser. How do I find which child is access denied ? (for example: /user/info or /tflist/name. like this, I can't find exactly where there is an access problem.)
note: I tried to do it with Cloud Monitoring, but I couldn't find it too complicated. just the number of access blocks I can find. it does not show which child access is blocked there either.
Related
I would like to ask for the help of people familiar with Firebase functions. I am struggling with the problem that uploading the code via firebase cli fails. It was working a few days ago, I didn't change anything in the world, I mean through the configuration. And it gets stuck at a part where not even a code change was made. I have had this problem ever since the client set the editor role to the owner role. But in theory this shouldn't be a problem.
firebase deploy --debug returns this:
{"error":{"code":403,"message":"Unable to retrieve the repository metadata for projects/{projectname}/locations/us-central1/repositories/gcf-artifacts. Ensure that the Cloud Functions service account has 'artifactregistry.repositories.list' and 'artifactregistry.repositories.get' permissions. You can add the permissions by granting the role 'roles/artifactregistry.reader'.","status":"PERMISSION_DENIED"}}
I set it up but it still doesn't work. Maybe in the wrong place or I don't know. I only encountered similar problems on the net, but none of them helped. I do not know what to do. Artifactregistry api is also enabled.
firebase functions:log :
2022-11-09T22:15:55.891760Z E friendRequestNotification: {"#type":"type.googleapis.com/google.cloud.audit.AuditLog","status":{"code":7,"message":"Unable to retrieve the repository metadata for projects/{projectname}/locations/us-central1/repositories/gcf-artifacts. Ensure that the Cloud Functions service account has 'artifactregistry.repositories.list' and 'artifactregistry.repositories.get' permissions. You can add the permissions by granting the role 'roles/artifactregistry.reader'."},"authenticationInfo":{"principalEmail":"{email}"},"requestMetadata":{"callerIp":"{ip}","callerSuppliedUserAgent":"FirebaseCLI/11.16.0,gzip(gfe),gzip(gfe)","requestAttributes":{"time":"2022-11-09T22:15:56.055987Z","auth":{}},"destinationAttributes":{}},"serviceName":"cloudfunctions.googleapis.com","methodName":"google.cloud.functions.v1.CloudFunctionsService.CreateFunction","authorizationInfo":[{"resource":"projects/{projectname}/locations/us-central1/functions/friendRequestNotification","permission":"cloudfunctions.functions.create","granted":true,"authorizationLoggingOptions":{"permissionType":"ADMIN_WRITE"},"resourceAttributes":{}}],"resourceName":"projects/{projectname}/locations/us-central1/functions/friendRequestNotification","request":{"function":{"sourceUploadUrl":"https://storage.googleapis.com/uploads-760418412171.us-central1.cloudfunctions.appspot.com/6d1f7217-7899-484f-911c-1dbcb4512d8d.zip?GoogleAccessId=service-{}#gcf-admin-robot.iam.gserviceaccount.com&Expires={}","labels":{"deployment-tool":"cli-firebase","firebase-functions-hash":"{hash}"},"runtime":"nodejs16","dockerRegistry":"ARTIFACT_REGISTRY","entryPoint":"friendRequestNotification","name":"projects/{projectname}/locations/us-central1/functions/friendRequestNotification","eventTrigger":{"eventType":"providers/cloud.firestore/eventTypes/document.create","resource":"projects/{projectname}/databases/(default)/documents/users/{userId}/friends/{friendId}"}},"location":"projects/{projectname}/locations/us-central1","#type":"type.googleapis.com/google.cloud.functions.v1.CreateFunctionRequest"},"resourceLocation":{"currentLocations":["us-central1"]}}
I have already tried all options within the Google cloud iam&admin settings, but nothing.
Well, I solved the issue by updating my credit card. Basically, billing was disabled because my credit card was expired and all the permissions were disabled.
Try to enable the created artifacts for your project on Google Cloud Console
https://console.cloud.google.com/artifacts
I have an automated process to update a Firebase project's Firestore and storage rules. It always throughs permission denied errors. I've tried a combination of the predefined IAM roles such as Firebase Rules Admin, Firebase Rules System, and Firebase Rules Viewer. and even a combination of all three failed.
When giving the service account the Firebase Admin IAM role, it worked; however, I'd like to avoid giving this service account excess permissions due to best security practices following the principle of least privilege.
I found this documentation for specific permissions needed: https://firebase.google.com/docs/projects/iam/permissions#security-rules but after creating a new IAM role with all 13 of the permissions, it was still denied.
What is the correct set of least permissions needed to only allow the service account to update rules and rules only? (Firestore and storage)
I don't know the answer but here's how I'd work it out.
Firebase Admin is defined under Firebase-level roles:
https://firebase.google.com/docs/projects/iam/roles-predefined-all-products
NOTE Apologies, was unable to grab a link to the specific role on mobile
This shows all the permissions.
You should be able to determine which permissions are missing by checking the permissions of the other roles that you tried.
It would be helpful if you include the command and the specific errors that you received. Usually (!) these help scope the permission(s) that are missing.
I have an app in production environment with remote logging of the client side errors. I get now and then this Firebase (firestore) security rules error:
FirebaseError: Missing or insufficient permissions.
When I check on the rules console, I can see that those errors are actually reported, but I have now way to see which rule specifically has provoked the error. I have no way to trace back which part of my client side code is triggering this error.
Any suggestions to find it? Any log from the Google console where I can dive?
In production no details are logged anywhere about what specific part of your security rules failed.
The two most common approaches to finding this are based on "replaying" the scenarios in your app:
In the rules playground in the Firebase console.
In the emulator suite, and its debug function.
In both cases I find it easiest to use a divide and conquer approach, enabling/disabling large chunks of my rules at a time to zoom in on what check might be rejecting the operation.
Is there any way to see the specific collection / rule that is failing in Firestore? I've looked in firestore-debug.log (running on localhost) as well as in the Firebase UI. Firestore logs the error to the console, but does not include the information I need to debug the permissions:
Firebase intentionally does not disclose information about what rule is failing, as it would give malicious users information you don't want them to have.
The best information is typically available in the emulator in the Firebase console, which tells you what specific rule has failed.
Error messages delivered to the client SDK will never show the root cause of the rejection, as that would reveal something about the security measure to a potential attacker.
If you want to test and debug your security rules locally before you deploy, you can use the Firebase emulator suite to get detailed information about how your rules are working with client code that would make queries against them.
https://firebase.google.com/docs/firestore/security/test-rules-emulator
https://firebase.google.com/docs/rules/emulator-setup
I have a Firebase app, and I want to know if it's possible to restrict a Firebase Console user to access only to the "Authorizations" tab. (to CRUD users). The access must be by the Firebase (regular) Web Console
Especially, I don't want the user to see the database data via the web console. Is that possible? I've managed to give him access to the entire project, and he can do anything I can do (is an Admin).
I haven't found nothing about this in the docs / searching.
firebaser here
Collaborators on a project currently have access to the entire Firebase Console. You can limit to having read-only access, but you currently can't limit what panels they have access to.
We've heard the request before and know this would expand the usefulness of the Firebase Console. I recommend that your file a feature request, to add your vote.