is there any way for a developer who has access to the Firebase console to be restricted access to the real-time database, preventing them from reading and writing any data directly?
When you add a collaborator to the Users and permissions panel of the Firebase console, you can set what permissions they have. The defaults are Owner, Editor, and Viewer, with the latter granting read-only access to all (Firebase and Cloud) products in the console.
You can also choose Assign Firebase role(s), in which case you can select per Firebase product what permission the user has. In this case you can exclude them from having access to the Firebase Realtime Database.
Related
My application has Firebase users (i.e. users created in Firebase Authentication, NOT in Firebase IAM or in GCP IAM). These users are not linked to a G Mail or Google Workspaces (formerly G Suite) account, and are not part of my organization.
I need to grant each of these users write access (not read) to a Cloud Storage bucket (1 user = 1 bucket), while not allowing any kind of access to that bucket to unauthenticated users or to other Firebase users.
How would I go about doing that?
I have tried verifying auth and generating a presigned URL from my Cloud Functions backend, but it has turned out a bit problematic with uploading thousands of files, which is why I'm looking at alternatives.
Time-limited access is not a requirement for me either way (I'm fine with users only having a few hours of access or having forever access). Also, if one bucket per user is too problematic, one folder per user, all inside the same bucket, would also be acceptable.
I know that in AWS I could use Cognito User Pools for the users, and then link the users to an Identity Pool so they can obtain temporary AWS credentials with the required scope, but I haven't been able to find the equivalent in GCP. The service comparison table hasn't helped in this regard.
I realize I might have the wrong idea in my head, coming from AWS. I don't mind if I have to link my Firebase users to GCP IAM users or to Firebase IAM users for this, though to me it sounds counter-intuitive, and I haven't found any info on that either. Maybe I don't even need GCP credentials, but I haven't found a way to do this with a bucket ACL either. I'm open to anything.
Since your users are signed in with Firebase Authentication, the best way to control their access is through security rules that sit in front of the files in your storage bucket when you access them through the Firebase SDK.
Some example of common access patterns are only allowing the owner of a file to access it or attribute or role based access control.
When implementing security rules, keep in mind that download URLs that you can generate through the Firebase SDK (if have read access to a file) provide public read-only access to the file too. These download URLs bypass the rules, so you should only generate them for files that you want to be publicly access to anyone with that URL.
I am new to firebase and I have developed an app which can save documents. I want to assign a role to my team member who can view "Real-Time Data" but not the "Storage" as few files are confidential. The team mate should not have access to view storage files in firebase.
Can I do this by adding rules in firebase? If yes, how?
If I cannot do this, what is the alternate?
Within the Firebase console you can assign these broad roles to the collaborators on a project:
As you can see, Database and Storage are in the same role here, so you can't assign different permissions for them.
Luckily you can also define a custom role in the Cloud console, which allows you fine grained control over what a collaborator can do.
You'll want to read the documentation on granting, changing and revoking access in the Cloud documentation, and then build a role that has the necessary Firebase product-level predefined roles. Since you want the collaborator to only have access to Realtime Database, you'll need one of these:
Role: Firebase Realtime Database Admin
roles/firebasedatabase.admin
Description: Full read/write access to
Realtime Database resources
Realtime Database Admin permissions:
firebasedatabase.instances.create
firebasedatabase.instances.get
firebasedatabase.instances.list
firebasedatabase.instances.update
Role: Firebase Realtime Database Viewer
roles/firebasedatabase.viewer
Description: Read-only access to Realtime Database resources
Realtime Database Viewer permissions:
firebasedatabase.instances.get
firebasedatabase.instances.list
Is there a way to make the cloud firestore database entries for a specific collection private or hidden in firebase console making them unreadable / unaccessible from even the project owner accounts?
You can add users to your project with different roles (owner, editor or viewer) but it's for the entire project. You cannot add users with custom privilege to access for instance, only a collection or a subcollection.
No, this is not possible. What you can do is create a new firestore project and restrict which users have access to that specific project. However, all users on that project will have access to that entire database.
I need to grant permissions to a user for my Firebase project. But this user should only have access to adding data on Real-Time Firebase Database. I think it should be done here:
User can only add and delete data in firebaseDatabase and nothing more here:
How do I set permissions for this user?
There currently is no way to give product-level permissions to a collaborator on the Firebase console. Either they have access to the console, or they don't have access. You can give them read-only access, but that doesn't sound like what you need.
I have a Firebase app, and I want to know if it's possible to restrict a Firebase Console user to access only to the "Authorizations" tab. (to CRUD users). The access must be by the Firebase (regular) Web Console
Especially, I don't want the user to see the database data via the web console. Is that possible? I've managed to give him access to the entire project, and he can do anything I can do (is an Admin).
I haven't found nothing about this in the docs / searching.
firebaser here
Collaborators on a project currently have access to the entire Firebase Console. You can limit to having read-only access, but you currently can't limit what panels they have access to.
We've heard the request before and know this would expand the usefulness of the Firebase Console. I recommend that your file a feature request, to add your vote.