Firebase Cloud Function only triggerable by another function - firebase

In a Firebase Cloud Function I want to trigger other functions on command (these would be http functions, since I don't think there's another way to do this). I want to make these functions not callable by any user, but only from the admin sdk, from other cloud functions. How should I do that?

HTTP functions deployed by the Firebase CLI are made public by default. You can choose not to make them public by configuring them to not allow public access (requiring authentication). This requires some knowledge about how the underlying Cloud Functions infrastructure works in Google Cloud Platform (Firebase does not expose all these details). The documentation for securing functions starts here.
If you choose not to allow unauthenticated access, you will have to provide IAM account credentials in the request from the code that you do want to allow to invoke the function.

Related

Does "allUsers" in Cloud Functions allow only the users of my app?

I recently started working with firebase functions. My intention is to have a function that "all users" within my app can use. More specifically I want everyone that is signed in to their account to be able to call this function. You can't reach calling the function without being logged in.
Would it be appropriate to use the authentication "allUsers" to this function in google cloud, or does this tag mean more than what I specified?
The Cloud Functions setting "allUsers" allows all users, not just those of your app. If you want to restrict usage to just the users of your app, have a look at Firebase App Check which you can use to enforce this requirement.
As #ESun commented too, if your users are signing in with Firebase Authentication, you can validate that too. See How to protect firebase Cloud Function HTTP endpoint to allow only Firebase authenticated users?

How to Firebase cloud function deploy privately

When i use firebase deploy --only functions to deploy cloud functions for firebase, i discover, that this functions are deployed with the authentication flag allUsers.
How can i deploy firebase cloud function with private by default as mentioned here ?
There is no way to set this access control level of Cloud Functions through the Firebase CLI. It currently indeed always sets the access to allow all users. It sounds like a reasonable request to allow control of this though, so I'd file a feature request and possibly a PR on the repo.
For now: if you want to set this access level, you will have to do so in the Cloud console as explained in the Google Cloud documentation on controlling access on a function.

Can I use Cloud Functions Invoker role with firebase functions?

I have a Cloud Function that should only be invoked by a GKE cluster I'm also hosting. I'd also like to use Firebase Hosting to make a nice url. If I set up the Cloud Function Invoker role on that function to only allow the service account set up on that GKE cluster, will Firebase Hosting proxy that service account and thus still limit access to the Function to only the Invoker role? Or would I need to use something like Cloud Endpoints to achieve that?
If it's not supported with Firebase Hosting, can I still use the Firebase CLI to at least deploy the function and maintain the Invoker role set up? That is, will Firebase reset the Invoker role to allow All Users each time I deploy the Function?
I could test all this to determine the behavior, but I thought I'd ask the question first in case there's a better approach.
Firebase Hosting URLs are always public and Cloud Functions are proxied via public HTTP. You won't be able to restrict access to a function without Hosting also being unable to access it.
You should be able to restrict access to an HTTP function deployed by Firebase by:
Deploy it (it will be public for a brief time)
Modify the IAM for the function from the Google Cloud console
Redeploying the function via Firebase CLI shouldn't change any existing invoker roles (I haven't tried this, but it should work).

Which service account is used when running Firebase Cloud Functions?

I'm trying to create a schedule Cloud Function exporting my Firestore database to create backups. The code is running fine when serving on my local machine (which uses my personal user account with owner role) but failes once deployed. I already found out that I need to add the 'Storage Admin' and 'Datastore Import Export Admin' to the service account used when running the cloud function, but I can't figure out which service account is used for the functions.
Does anyone know which service account is used?
Firebase Cloud Functions use the {project-id}#appspot.gserviceaccount.com service account (App Engine default service account). Roles and permissions added to this service account carry over to the Cloud Functions runtime.
Good to know: When using Google Cloud Functions, the service account being used while running the function can be defined when deploying the function.
You can specify a custom service account with the runWith() method if you prefer not to use the default one nowadays. It accepts a number of RuntimeOptions that can be defined.

Why are Cloud Functions not stopped from writing when using Security rules in Firestore?

I'm using Cloud Firestore as my back-end. I'm using rules so only authenticated users can read some data (private data) and none of them can write. I have also created a function that is triggered when some new content is added to the database. However, when the function is triggered, I'm able to write data even if the rules as set to false.
How to stop that from happening?
Actually when you access to Firestore via a Cloud Function (using the Firebase Admin SDK) none of the security rules apply.
The following documentation https://firebase.google.com/docs/admin/setup explicitly indicates that for the Relatime Database:
The Admin SDK lets you interact with Firebase from privileged
environments to perform actions like Read and write Realtime Database
data with full admin privileges.
but it is the same with Firestore.
There is also a note in this Firestore "Get Started" documentation https://firebase.google.com/docs/firestore/security/get-started:
Note: The server client libraries bypass all Cloud Firestore Security
Rules...
As said above, this not only applies to the Admin SDK but also applies to the other server SDKs, because you use these server SDKs from what Firebase calls "a privileged environment", like your own server (under your control) or Cloud Functions (under your control too, since you are the only one able to deploy Cloud Functions code). See also What is a "trusted server environment" in Firebase?
If you want to restrict the write access for your Cloud Function, you will need to develop a specific business logic, in your Cloud Function, to mimic your security rules.

Resources