I have a Cloud Function that should only be invoked by a GKE cluster I'm also hosting. I'd also like to use Firebase Hosting to make a nice url. If I set up the Cloud Function Invoker role on that function to only allow the service account set up on that GKE cluster, will Firebase Hosting proxy that service account and thus still limit access to the Function to only the Invoker role? Or would I need to use something like Cloud Endpoints to achieve that?
If it's not supported with Firebase Hosting, can I still use the Firebase CLI to at least deploy the function and maintain the Invoker role set up? That is, will Firebase reset the Invoker role to allow All Users each time I deploy the Function?
I could test all this to determine the behavior, but I thought I'd ask the question first in case there's a better approach.
Firebase Hosting URLs are always public and Cloud Functions are proxied via public HTTP. You won't be able to restrict access to a function without Hosting also being unable to access it.
You should be able to restrict access to an HTTP function deployed by Firebase by:
Deploy it (it will be public for a brief time)
Modify the IAM for the function from the Google Cloud console
Redeploying the function via Firebase CLI shouldn't change any existing invoker roles (I haven't tried this, but it should work).
Related
I recently started working with firebase functions. My intention is to have a function that "all users" within my app can use. More specifically I want everyone that is signed in to their account to be able to call this function. You can't reach calling the function without being logged in.
Would it be appropriate to use the authentication "allUsers" to this function in google cloud, or does this tag mean more than what I specified?
The Cloud Functions setting "allUsers" allows all users, not just those of your app. If you want to restrict usage to just the users of your app, have a look at Firebase App Check which you can use to enforce this requirement.
As #ESun commented too, if your users are signing in with Firebase Authentication, you can validate that too. See How to protect firebase Cloud Function HTTP endpoint to allow only Firebase authenticated users?
In a Firebase Cloud Function I want to trigger other functions on command (these would be http functions, since I don't think there's another way to do this). I want to make these functions not callable by any user, but only from the admin sdk, from other cloud functions. How should I do that?
HTTP functions deployed by the Firebase CLI are made public by default. You can choose not to make them public by configuring them to not allow public access (requiring authentication). This requires some knowledge about how the underlying Cloud Functions infrastructure works in Google Cloud Platform (Firebase does not expose all these details). The documentation for securing functions starts here.
If you choose not to allow unauthenticated access, you will have to provide IAM account credentials in the request from the code that you do want to allow to invoke the function.
This is a web page located on Firebase Hosting, served dynamically through a rewrite to a Cloud Function
When browsing to the url, I receive "Error: Forbidden
Your client does not have permission to get URL [/theURL] from this server.
Everything works as long as I have "allUsers" added as a Cloud Functions Invoker on the function via the GCP console. I have confirmed this with testing just throwing that one switch and getting two different results.
I am logged into my Chrome browser with the same Google account as the owner of the GCP project
I am logged in to my Firebase website (Firebase Authentication and Firestore roles management) using the same Google account, with a Firebase __session cookie and all.
This started when I upgraded my Node.js engine from 8 to 10 with the recent warnings from Google that they're dropping support for 8. (I am assuming, but have no real idea, that the version 8 runtime environment didn't have this feature?)
I wrote these Cloud Functions without any knowledge of GCP authentication, so I am relatively confident that my coding inside the Cloud Function is secure, but if there is another layer of security that I could/should be using, I'm all for it.
I will want this website to be publicly accessible, but I can granulate the functions to public vs. non-public if necessary. (Basically, I was writing them as all publicly accessible and internally authenticated/secured anyway.)
I'm not very knowledgeable at all about the GCP authentication requirements, so it's hard for me to pin this down to one central question, but here are some questions I know I don't know:
Should Firebase Hosting be added as a member to GCP's authentication groups, so that GCP only allows service of a Cloud Function to the rewrite requests? It seems that would be the most secure and straightforward method.
Why is GCP telling my I'm forbidden when I'm the owner of the whole doggone project? Does this have to do with Firebase Rewrite or maybe HTTP requests being anonymous? If so, then how does one authenticate for a Cloud Function anyway?
Sorry for the large scope of the question; any guidance in the right direction is much appreciated.
GCP allUsers is not related to Firebase Authentication. They deal with different sets of users. A function should have GCP allUsers invoker permission in order to allow access from web and mobile apps where users are signed in with Firebase Auth. GCP does not check the Firebase user - that is up to the function to do, if it wants, using the Firebase Admin SDK.
When i use firebase deploy --only functions to deploy cloud functions for firebase, i discover, that this functions are deployed with the authentication flag allUsers.
How can i deploy firebase cloud function with private by default as mentioned here ?
There is no way to set this access control level of Cloud Functions through the Firebase CLI. It currently indeed always sets the access to allow all users. It sounds like a reasonable request to allow control of this though, so I'd file a feature request and possibly a PR on the repo.
For now: if you want to set this access level, you will have to do so in the Cloud console as explained in the Google Cloud documentation on controlling access on a function.
I'm trying to create a schedule Cloud Function exporting my Firestore database to create backups. The code is running fine when serving on my local machine (which uses my personal user account with owner role) but failes once deployed. I already found out that I need to add the 'Storage Admin' and 'Datastore Import Export Admin' to the service account used when running the cloud function, but I can't figure out which service account is used for the functions.
Does anyone know which service account is used?
Firebase Cloud Functions use the {project-id}#appspot.gserviceaccount.com service account (App Engine default service account). Roles and permissions added to this service account carry over to the Cloud Functions runtime.
Good to know: When using Google Cloud Functions, the service account being used while running the function can be defined when deploying the function.
You can specify a custom service account with the runWith() method if you prefer not to use the default one nowadays. It accepts a number of RuntimeOptions that can be defined.