Use a CDN to access Firebase Storage objects through their Download URL?

1
votes

I have image files in Firebase Storage what have Download URLs. I can access these just fine through the Download URLs.

I have set up a Google Cloud Platform CDN to point at my Firebase Storage bucket. When I try to access images in the bucket, I get an Access denied. response.

The instructions for setting up a GCP CDN pointed to a Bucket say to use the format: https://[IP_ADDRESS]/static/[REGION]/[OBJECT_NAME]

I used the external load balancer IP Address, "us" for the region, and I have tried several things for [object_name].

The image file Object has a Download URL that looks like this:

https://firebasestorage.googleapis.com/v0/b/xxxx.appspot.com/o/-LmBkDlSNaSqtFI8AfFX%2Ffoo%2Fbar_-LmDYUM32YieXcpjm7jR.png?alt=media&token=61E4F4A8-99BF-495E-89F0-03BB565D0D8A

So, I tried using everything after /o/ as [object_name] I tried the storage location path. I tried URL encoding the slashes in both of these.

In all cases, I get the following:

<Error>
    <Code>AccessDenied</Code>
    <Message>Access denied.</Message>
    <Details>Anonymous caller does not have storage.objects.get access to buttons-dev.appspot.com/static/us/-LmBkDlSNaSqtFI8AfFH/circles/circle_-LmDYUM32YieTcpjm7jR.png.
</Details>
</Error>

The permissions in Firebase Storage for the bucket are set to:

service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write: if request.auth != null;
    }
  }
}

But, the Download URL should work for direct viewing of a particular file. Also, I tried setting allow: read; for permissions, and nothing changed.

How can I access a Firebase Storage object in through it's Download URL and a Google Cloud Platform CDN?

1
firebasegoogle-cloud-storagefirebase-storagefirebase-security
Security rules are bypassed when using download URLs or other direct access URLs. Rules only matter when the access is coming from the Firebase SDK.Doug Stevenson
Yup! I get that. So, is it possible to have the Google Cloud Platform CDN cache content that is accessed through Download URLs?Nimai
I don't believe there is any way to change the behavior of a download URL obtained by the Firebase SDKs, other than to revoke its access.Doug Stevenson
I am not trying to change the behavior. I want to use the GCP CDN to cache it. Any suggestions?Nimai
That's effectively a change in behavior (the behavior being the caching). I don't think you can simply reroute that URL to go through any other CDN or cache system. The URL is what it is - direct access to the underlying object in Storage.Doug Stevenson

1 Answers

1
votes

The process is -

  1. Setup a load balancer and enable CDN for it

  2. Allow public access to the images you want to access via CDN or to the entire bucket. Instructions for it are in this link - https://cloud.google.com/storage/docs/access-control/making-data-public

  3. If you have a file in Firebase storage named foo/bar/image.png

    then access it simply with http://[LOAD_BALANCER_IP_ADDRESS]/foo/bar/image.png

In your example, this will work

http://[LOAD_BALANCER_IP_ADDRESS]/-LmBkDlSNaSqtFI8AfFX%2Ffoo%2Fbar_-LmDYUM32YieXcpjm7jR.png

The base URL depends on what you have setup in Host and path rules. If you have only one backend setup then the above will work as-is.

Complete guide - https://cloud.google.com/load-balancing/docs/https/adding-backend-buckets-to-load-balancers