What rule will make my Firebase storage bucket accessible only to my Firebase Function in the same project?

Question

My file upload to a Cloud Storage bucket only happen from the Firebase console. What Cloud Storage rule would allow only my Firebase function in the same project to read/write to the bucket?

service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
       ???
    }
  }
}

Frank van Puffelen Frank van Puffelen · Accepted Answer · 2019-06-15T02:12:16

Cloud Functions run with administrative access to the project they're a part of. This means you can simply give no regular users access to the bucket, as Cloud Functions bypasses your rules anyway.

From the documentation:

// Access to files through Firebase Storage is completely disallowed.
// Files may still be accessible through Google App Engine or GCS APIs.
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write: if false;
    }
  }
}

Your access from Cloud Functions falls under the "GCS APIs" in the comments above.

What rule will make my Firebase storage bucket accessible only to my Firebase Function in the same project?

1 Answers