Firebase Database rules set to deny all access. But Firebase Functions can access it any way

Question

On Firebase Realtime Database I have the default rules:

{
  "rules": {
  ".read": false,
  ".write": false
  }
}

Which should mean it denies all access, according to the docs. But then I tried this code sample for Firebase Functions. This one about writing to google sheets. At some points in the code, it writes my API Key to my Firebase Realtime Database.

await admin.database().ref(DB_TOKEN_PATH).set(tokens);

And at another point reads my API Key that it had recorded:

const snapshot = await admin.database().ref(DB_TOKEN_PATH).once('value');

And to my surprise: both are working fine despite the security rules. I can go to the Firebase Console and see the API Key recorded in the same Database that is supposed to be denying all access.

What exactly does this mean? Firebase Functions can ignore security rules? Or am I misunderstanding what the security rules mean and my database is actually vulnerable for anyone to read my API Keys?

Answer 1

The Firebase Admin SDK bypasses all security rules. The only thing that rules apply to is access from web and mobile clients, or any time access is done on behalf an authenticated user, such as the Firebase REST API.

The exception to this is that rules apply when the Admin SDK has been initialized with limited privileges, using a given UID.

In a more generalized sense across Firebase and Google Cloud SDKs, any backend SDK that was initialized with a service account also bypasses security rules. This applies to Realtime Database, Cloud Firestore, and Cloud Storage. When these SDKs are initialized with no parameters in Cloud Functions, they will use the project default service account, which will have unrestricted access to these products.