1

The task is to make CRUD operations in Firestore after I make an API call to Cloud Function, which later should trigger a Firestore function to get a set of items in Cards collection.
Here are some rules:

  • There should be no user authentication needed
  • It shouldn't need to have a service account with granted permissions

The purpose behind the "rules" is to legitimate operations happening in Cloud Functions as it was an authorized admin itself (Because they are deployed to Firebase safe environment anyways right?). Since the plan is to host the project as a Cloud Function, we should be required to have firebase-admin SDK.

For so far, I tried to implement the same with firebase-functions but it only worked if the rule was not restricted publicly being as:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /Cards/{card}{
      allow write,read: if false;
    }
  }
}

enter image description here Since this works, but the rule is "insecure" I'd like to do these operations only as "admin" would through Cloud Functions. Here is some code that returns an empty array of documents, even though I have data in it viewable from web GUI.

import { getFirestore } from "firebase-admin/firestore";
import * as admin from "firebase-admin";

const GetCard = (cardID: string)=> {
require("../../path-to-the-file.json");

  admin.initializeApp({
    credential: admin.credential.cert(serviceAccount),
  });

  getFirestore()
    .collection("Cards")
    .get()
    .then((cardsSnapshot) => {
      cardsSnapshot.forEach((card) => {
        console.log("card from collection: ", JSON.stringify(card.data()));
      });
    });
};

EDIT: the reason why I decided to use adminSDK even though Cloud Functions don't need it was the error I was getting:

Error adding document:  [FirebaseError: Missing or insufficient permissions.] {
>    code: 'permission-denied',
>    customData: undefined,
>    toString: [Function (anonymous)]
>  }

After running this code:

import { initializeApp } from "firebase/app";
import { collection, getDocs, getFirestore } from "firebase/firestore";

const GetCard = (cardID: string): Promise<Card> => {
  const firebaseConfig = {...CONFIGS...};
  const app = initializeApp(firebaseConfig);
  const db = getFirestore(app);

  getDocs(collection(db, "Cards"))
    .then((querySnapshot) => {
      querySnapshot.forEach((doc) => {
        console.log(`${doc.id} => ${doc.data()}`);
      });
    })
    .catch((e) => {
      console.error("Error adding document: ", e);
    });
};
Improve this question
1
  • I'm not really clear what the problem is here. When you use the admin SDK, it will always bypass all security rules, unconditionally. Rules only apply the web and mobile apps using the client SDKs. A service account is always required to init the admin SDK. You can use the project default service account available in Cloud Functions when you init with no parameters. Commented Apr 26, 2022 at 12:42

1 Answer 1

Reset to default
1

... without admin SDK using Firebase Functions

Actually Cloud Functions do use the Admin SDK. As such they totally bypass the Firestore security rules: they have full access rights (write & read) to all the collections of your database.

So if I correctly understand, by using Cloud Functions you will fulfill you needs.

Just to be complete, there is a service account for the Cloud Function but it is automatically set-up by the platform, so it is transparent for you.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Missing or insufficient permissions was the error when I tried it purely with firebase/firestore, that's why I thought it needed some admin credentials to solve the permission issue.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.