如何使用服务帐户获取Firestore规则 [英] How to get Firestore rules working with service accounts

问题描述

如Firestore文档中所述此处，我有一个安全规则像这样:

As written in Firestore documentation here I have a security rule like this:

service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      allow read, update, delete: if request.auth.uid == userId;
      allow create: if request.auth.uid != null;
    }
  }
}

此规则在通过客户端库进行身份验证时有效，但在我使用Firebase文档中编写的服务器库时无效

this rule works when I get authenticated with client library but not when I use server library as written in firebase documentation

注意:服务器客户端库会绕过所有Cloud Firestore安全规则，而是通过Google Application Default Credentials进行身份验证.如果您使用服务器客户端库或REST或RPC API，请确保为Cloud Firestore设置Cloud Identity和访问管理.

Note: The server client libraries bypass all Cloud Firestore Security Rules and instead authenticate through Google Application Default Credentials. If you are using the server client libraries or the REST or RPC APIs, make sure to set up Cloud Identity and Access Management for Cloud Firestore.

如何将此安全规则复制到服务帐户角色?

How to replicate this security rule to service accounts roles?

推荐答案

使用Firebase Admin SDK和服务帐户访问Firestore的代码当前无法用于执行安全规则，而不能限制在特定的用户ID范围内.使用Admin SDK进行的所有访问都将绕过安全规则并完全控制数据库.

Code that uses the Firebase Admin SDK with a service account to access Firestore currently can not be scoped to a particular user ID for the purpose of enforcing security rules. All access with the Admin SDK will bypass security rules and have full control of the database.

请注意，这与具有这种功能的实时数据库不同.

Note that this is different than Realtime Database, which does have such a feature.

这篇关于如何使用服务帐户获取Firestore规则的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！