Do firebase storage rules override cloud storage permissions?

Question

I have the following rules in my bucket:

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read;
    }
  }
}

This says to me that public can read - but they can't. Checking on the google cloud storage UI, there is no 'public url'.

So a couple of questions:

• Does firebase give a different URL for accessing the file which will issue permissions based on the above rule configuration?
• There is a firebase-adminsdk service account in GCS bucket permissions - is that what firebase uses to access the bucket?
• Which credentials overwrite each other?

Answer 1

Cloud Storage access permissions and Firebase's Storage rules are unrelated.

Firebase's Storage rules apply to users who access the data in the bucket through a Firebase SDK. In addition Firebase can generate a so-called download URL, which gives everyone who has that URL read-only access to that file.

Cloud Storage access permissions apply to users accessing the data in the bucket through a Cloud API. The Cloud Storage SDKs and APIs can also generate so-called signed URLs, which serve a similar role to the download URLs mentioned above.

Answer 2

Firebase security rules only affect direct access from web and mobile client apps when using the Firebase SDK, especially when the user is authenticated with Firebase Auth (as the user's account token is made available during the evaluation of rules).

Rule do not affect the way service accounts work, or other forms of public access that depend on Cloud Storage ACLs. Those are determined by their own permission systems. Those other systems don't also don't affect Firebase client access at all.