5

For security reasons I would only like the cloud functions to be able to access my Firestore data. Then have my app call my cloud functions for data.

I can't find any docs about locking down your database so that only your cloud functions can access them.

Renaud Tarnec
  • 79,263
  • 10
  • 95
  • 121
Ruan
  • 3,969
  • 10
  • 60
  • 87

1 Answers1

18

You just have to deny all access as follows

// Deny read/write access to all users under any conditions
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if false;
    }
  }
}

As a matter of fact, Cloud Functions run with administrative privilege and therefore they will totally bypass the security rules.

Renaud Tarnec
  • 79,263
  • 10
  • 95
  • 121
  • 1
    That's It? Admin just has access no matter what you do? So Just lock it down hard. Sweet. Worked great, thanks – Ruan Jan 16 '20 at 09:07
  • Yes, that's all you need to do. Firebase Admin SDK (and other server SDKs) "are initialized using a service account instead of an end user Firebase Authentication account. Queries from the server SDKs are considered “privileged” and completely bypass all security rules" ([Reference](https://medium.com/firebase-developers/should-i-query-my-firebase-database-directly-or-use-cloud-functions-fbb3cd14118c)). Please accept the answer if it solved your problem. Thanks. – Renaud Tarnec Jan 16 '20 at 09:13