0

My application has Firebase users (i.e. users created in Firebase Authentication, NOT in Firebase IAM or in GCP IAM). These users are not linked to a G Mail or Google Workspaces (formerly G Suite) account, and are not part of my organization.

I need to grant each of these users write access (not read) to a Cloud Storage bucket (1 user = 1 bucket), while not allowing any kind of access to that bucket to unauthenticated users or to other Firebase users.

How would I go about doing that?

I have tried verifying auth and generating a presigned URL from my Cloud Functions backend, but it has turned out a bit problematic with uploading thousands of files, which is why I'm looking at alternatives.

Time-limited access is not a requirement for me either way (I'm fine with users only having a few hours of access or having forever access). Also, if one bucket per user is too problematic, one folder per user, all inside the same bucket, would also be acceptable.

I know that in AWS I could use Cognito User Pools for the users, and then link the users to an Identity Pool so they can obtain temporary AWS credentials with the required scope, but I haven't been able to find the equivalent in GCP. The service comparison table hasn't helped in this regard.

I realize I might have the wrong idea in my head, coming from AWS. I don't mind if I have to link my Firebase users to GCP IAM users or to Firebase IAM users for this, though to me it sounds counter-intuitive, and I haven't found any info on that either. Maybe I don't even need GCP credentials, but I haven't found a way to do this with a bucket ACL either. I'm open to anything.

Blueriver
  • 3,212
  • 3
  • 16
  • 33

1 Answers1

2

Since your users are signed in with Firebase Authentication, the best way to control their access is through security rules that sit in front of the files in your storage bucket when you access them through the Firebase SDK.

Some example of common access patterns are only allowing the owner of a file to access it or attribute or role based access control.

When implementing security rules, keep in mind that download URLs that you can generate through the Firebase SDK (if have read access to a file) provide public read-only access to the file too. These download URLs bypass the rules, so you should only generate them for files that you want to be publicly access to anyone with that URL.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • This is awesome, thank you! I've worked with these rules for Firestore, didn't know I could also do this for Storage. One question: Can I use this to grant multiple users access to multiple files? From the doc you linked I know there are Custom functions, and maybe I can use them to access Firestore and store the permissions table there (just who has access to what, no granular access), but can I do that? – Blueriver Mar 09 '22 at 12:57
  • That's currently not possible. See https://stackoverflow.com/questions/54910503/in-firebase-storage-can-i-use-db-get-rules and https://stackoverflow.com/questions/46861983/can-firebase-cloud-storage-rules-validate-against-firestore-data – Frank van Puffelen Mar 09 '22 at 15:05