When i use firebase deploy --only functions to deploy cloud functions for firebase, i discover, that this functions are deployed with the authentication flag allUsers.
How can i deploy firebase cloud function with private by default as mentioned here ?
There is no way to set this access control level of Cloud Functions through the Firebase CLI. It currently indeed always sets the access to allow all users. It sounds like a reasonable request to allow control of this though, so I'd file a feature request and possibly a PR on the repo.
For now: if you want to set this access level, you will have to do so in the Cloud console as explained in the Google Cloud documentation on controlling access on a function.
Related
In a Firebase Cloud Function I want to trigger other functions on command (these would be http functions, since I don't think there's another way to do this). I want to make these functions not callable by any user, but only from the admin sdk, from other cloud functions. How should I do that?
HTTP functions deployed by the Firebase CLI are made public by default. You can choose not to make them public by configuring them to not allow public access (requiring authentication). This requires some knowledge about how the underlying Cloud Functions infrastructure works in Google Cloud Platform (Firebase does not expose all these details). The documentation for securing functions starts here.
If you choose not to allow unauthenticated access, you will have to provide IAM account credentials in the request from the code that you do want to allow to invoke the function.
I have a Cloud Function that should only be invoked by a GKE cluster I'm also hosting. I'd also like to use Firebase Hosting to make a nice url. If I set up the Cloud Function Invoker role on that function to only allow the service account set up on that GKE cluster, will Firebase Hosting proxy that service account and thus still limit access to the Function to only the Invoker role? Or would I need to use something like Cloud Endpoints to achieve that?
If it's not supported with Firebase Hosting, can I still use the Firebase CLI to at least deploy the function and maintain the Invoker role set up? That is, will Firebase reset the Invoker role to allow All Users each time I deploy the Function?
I could test all this to determine the behavior, but I thought I'd ask the question first in case there's a better approach.
Firebase Hosting URLs are always public and Cloud Functions are proxied via public HTTP. You won't be able to restrict access to a function without Hosting also being unable to access it.
You should be able to restrict access to an HTTP function deployed by Firebase by:
Deploy it (it will be public for a brief time)
Modify the IAM for the function from the Google Cloud console
Redeploying the function via Firebase CLI shouldn't change any existing invoker roles (I haven't tried this, but it should work).
Firebase Cloud Functions run on top of GCP, so, do they support using a vpc connector?
What I'm trying to achieve is to limit a forward-proxy server to only accept requests from the internal network, but since Cloud Functions doesn't support static IPs, the only way would be via vpc connector.
This seems now to be handled in latest firebase-tools v8.9.0 version.
Must be used in conjunction with firebase-functions v3.11.0 or higher
https://github.com/firebase/firebase-tools/releases/tag/v8.9.0
functions
.runWith({
vpcConnector: 'test-connector',
vpcConnectorEgressSettings: 'PRIVATE_RANGES_ONLY'
})
.auth.user()
.onCreate((user) => user);
Cloud Functions for Firebase doesn't actually run "on top of" GCP. Firebase just adds tools and SDKs that make Cloud Functions easier to use for some developers. The core Cloud Functions product is exactly the same, no matter if you're building and deploying with Firebase tools or gcloud.
You should still be able to configure a VPC connector for functions deployed with the Firebase CLI. You will just not able able to configure it on the command line like you can with gcloud. Instead, you will have to configure the connector in the Cloud console after deploying the function, exactly as described in the documentation you linked to.
Since Firebase is just a wrapper for Google Cloud Functions, just bypass the Firebase CLI and use the one with more parameters. (Google Cloud CLI)
i.e.
$ gcloud functions deploy <function_name> --trigger-http --runtime nodejs10 --vpc-connector projects/<your_project_name>/locations/<your-vpc-region>/connectors/<vpc_name> --service-account <your-role-name>
Source:
https://cloud.google.com/functions/docs/networking/connecting-vpc
When emulating firebase functions locally is there a way to change the function timeout from the default 60s?
--idlePruneInterval has been added as an option to the google cloud emulator CLI: https://github.com/GoogleCloudPlatform/cloud-functions-emulator/issues/66
This option doesn't appear to work is not officially supported in either the firebase serve mode:
firebase serve --only functions --idlePruneInterval=5000
or the experimental shell emulation:
firebase experimental:functions:shell --idlePruneInterval=5000
Is there another way around this problem? Perhaps editing a config file?
The Cloud Functions emulator from Firebase is separate from the one provided by the Google Cloud Platform org. The command line parameters from one won't necessarily work on the other.
My Firebase project uses several different storage buckets used by cloud function storage triggers. Although I can change the default bucket for a particular cloud storage function in the console or using CLI after deploying it, I was wondering if there was a way to configure these settings (bucket, memory limit, zip-deployment location) in firebase.json and pick them up automatically during deploy. Sometimes deployment of the entire project resets the cloud function settings, which causes issues for our users. Thanks!
If you want to configure values to consume in your functions, use environment configuration.
From the CLI:
firebase functions:config:set someservice.key="THE API KEY" someservice.id="THE CLIENT ID"
Then in a function:
functions.config().someservice.key