是否可以使用云 firestore 规则将 firebase firestore 访问权限限制为仅服务帐户和 API 密钥?
[英]Is it possible to restrict firebase firestore access to only service accounts and API keys using cloud firestore rules?
问题描述
I am using firebase's cloud firestore database and I would like to restrict access to this database to two mobile apps that authenticate via API keys and one service account.
我正在使用 firebase 的云 firestore 数据库,我想将对该数据库的访问限制为两个通过 API 密钥和一个服务帐户进行身份验证的移动应用程序。
I have reviewed the firebase documentation on implementing custom rules but I do not see any API key or service account examples so I am unsure how to utilize rules for this use case.我查看了有关实施自定义规则的 firebase 文档,但我没有看到任何 API 密钥或服务帐户示例,因此我不确定如何针对此用例使用规则。
From this stackoverflow question and answer it looks like service accounts using the firebase admin API bypass any firestore security rules, is that correct?从这个stackoverflow 问答看来,使用 firebase admin API 的服务帐户似乎绕过了任何 firestore 安全规则,对吗? If so is it reasonable to turn off write access entirely to any firestore collections that I only expect this service account to update?如果是这样,完全关闭对我只希望此服务帐户更新的任何 firestore collections 的写访问是否合理?
So far I have tried something like this to allow access from the service account but it was not working as expected.到目前为止,我已经尝试过类似的方法来允许从服务帐户进行访问,但它没有按预期工作。 I am not sure if cloud firestore rules support restricting access to only certain API keys.我不确定云 Firestore 规则是否支持限制对某些 API 密钥的访问。
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /sales_reps/{document=**} {
allow read: if true;
allow write: if request.auth.token.email == '<first-service-account-email>';
}
match /gps_tracking/{document=**} {
allow read: if true;
allow write: if request.auth.token.email == '<second-service-account-email>';
}
match /{document=\*\*} {
allow read: if true;
allow write: if false;
}
}
}
1 个解决方案
解决方案1
1 已采纳 2022-11-23 13:04:15
From this stackoverflow question and answer it looks like service accounts using the firebase admin API bypass any firestore security rules, is that correct?
Yes this is correct是的,这是正确的
If so is it reasonable to turn off write access entirely to any firestore collections that I only expect this service account to update?
Yes, since no user using a Client SDK (or the REST API) is going to update your collection(s) it is the correct aproach.是的,因为使用客户端 SDK(或 REST API)的用户不会更新您的收藏,这是正确的方法。
So concretely no need to use rules like所以具体来说不需要使用像这样的规则
allow write: if request.auth.token.email == '<first-service-account-email>';
just do做就是了
allow write: if false;
for all the collections for which you only want the service account to have the write access right.对于您只希望服务帐户具有写访问权限的所有 collections。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.