I have a Firebase account linked to a Google Cloud account. I want to add a collaborator to Firebase, but not allow them to have access to our entire GCP account.
There is no role or ability to create a custom role to grant access to Firebase. Is there a way to do this without granting broad GCP access?
Related
Background
We are building an app which authenticates end user using Firebase Authentication (backed by GCP Identity Platform). At the same time, we leverage some Google API of which permission is set based on IAM Role/Principal. That means the API call is valid only if the caller calls the API with a valid access token of authorized IAM Principal.
According to Doug in this post: How to add Firebase auth user to GCP IAM access policy "IAM doesn't know anything about Firebase Authentication users."
Already tried: Add the Firebase user as an IAM Principal when it's created. It works only for the user signs in user Google account. Otherwise, IAM will throw error "Email addresses and domains must be associated with an active Google Account, Google Workspace account, or Cloud Identity account."
Question: Is there any recommended way to authorize Firebase user accessing Google API? Do I need to build a customized authorization layer in Firebase to keep track of who can access what. Then, use that as a guard to relay the requests to the underlying Google API only if the user is authorized by the authorization logic?
I made a mistake and removed the default IAM role of an Firebase app on Google Cloud Console.
What is the default IAM role on AppEngine?
Is the App Engine Admin the correct one?
As written by #Ferregina in the comment section, the default IAM role for App Engine is the Editor role, which means that any user account with
sufficient permissions to deploy changes to the Cloud project can also run code with read/write access to all resources within that project(i.e. User
account having editor role will also be having viewer role or read/write access).
I have a server side app that does not run on node.js (a Cloudflare Worker), so I'm trying to access Firestore resources via REST calls and not through the Admin SDK.
I have a default service account created automatically for the Admin SDK, and I created another service account manually in the GCP console.
After obtaining an OAuth token for the default service account, I'm able to access protected resources. However, with the newly created service account, I can't access resources even if the security rule is set to if true.
What permissions would I have to give this manually created service account in order to allow it access?
Creating a service account by itself grants no permissions. The Permissions tab in IAM & Admin > Service Accounts shows a list of "Principals with access to this account" - this is not the inheritance of permissions, it's simply which accounts, aka principals, can make use of the permissions granted to this service account. The "Grant Access" button on this page is about granting other principals access to this service account, not granting access to resources for this service account.
For Firestore access specifically - go to IAM & Admin > IAM, and you'll be on the permissions tab. Click "Add" at the top of the page. Type in your newly created service account under "New Principals", and for roles, select "Cloud Datastore Owner".
Note: Firestore is the next generation of Datastore, but this legacy role name has remained.
Giving Admin Rights
I'm using Custom Claims to give admin rights to users, by triggering it when a document in "admins/{userId}" is created.
A Cloud Function then sets the "admin" property in the users custom claims to true. Then the user needs login again and he is admin.
Now I check for the admin Custom Claim in the security Rules of Firestore and Storage, so the user can delete/edit everything.
Revoking Admin Rights???
But when I want to revoke the Admin Rights on a user, how do I make sure that the rights are really revoked everywhere.
For the Firestore I can add an additional check, that also gets the data from the Firestore "admins/{userId}" direction and does not allow access.
BUT if I revoke the Rights and the user does not refresh his token, he can still edit/delete everything in the Firestorage.
And since I can't access Firestore data from the Storage-Security, I can't even double check the "admins/" direction.
So how do I reliably implement an admin functionality for firestore and storage?
As Doug Stevenson says, the token of a 'revoked admin' should expire within an hour after which the refreshed token wouldn't contain the admin custom claim. I think you're on the right track with using Firestore rules to check your 'admins' collection rather than the custom claim.
If immediately revoking rights to Firebase Storage is crucial, you may need to redesign your app so that rather than giving your client direct access to Storage, files can only be accessed through a Firebase Function you build that will validate access authorization against your Firestore 'admins' collection and, if approved, serve the file to the client.
I am using firebase simple-login in my angularjs-app.
Is there any possibility to manage all existing user accounts (not with forge console)?
An admin-user should be enabled to edit and delete these accounts.
When you allow (for example) Twitter users to log in to you Firebase application, all Twitter users can log in to your Firebase application. You can't directly control specific user accounts, unless you implement your own custom authentication.
What you do have control is over what those user accounts have (read and write) access to. You do this through Firebase's security rules. If you'd remove an accounts read/write access from all your data, you've essentially locked them out of your Firebase.
You can programmatically set the security rules through the REST API. See updating security rules through rest api.