I've updated my Google App Engine application to write some settings in a newly created firestore instance within the same project.
I get emails from firestore/firebase saying that my firestore is insecure and open to anybody to read/write.
When I look the documentation, all sample points to a Firebase utilisation, while I'm writing to firestore with the Google App Engine service Account via "google/cloud" PHP library.
Do you have any sample ?
I just need to allow the service account to read write a single collection.
It sounds like you're using an Admin SDK or otherwise server-side API to access Cloud Firestore. In that case your code accesses Firestore with administrative credentials, and bypasses the security rules.
If this is the only way you access Cloud Firestore, you can simply set the security rules to disallow all access from client-side SDKs with. According to the Firebase documentation on locking down the database those rules are:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if false;
}
}
}
Related
I am following this tutorial to use Google Cloud Storage from my AppEngine application. Older storage libraries are working fine, but after migrating to Google Cloud Java Libraries, I can't read my buckets anymore.
This is the tutorial I am following: https://github.com/googleapis/java-storage
In which the key part is the usage of Application Default Credentials: https://github.com/googleapis/java-storage#creating-an-authorized-service-object
To make authenticated requests to Google Cloud Storage, you must create a service object with credentials. You can then make API calls by calling methods on the Storage service object. The simplest way to authenticate is to use Application Default Credentials. These credentials are automatically inferred from your environment, so you only need the following code to create your service object:
Storage storage = StorageOptions.getDefaultInstance().getService();
I hope to be able to do this because this is running inside AppEngine, so Storage lives in the same project as the AppEngine code.
I am using the default service account. This service account has "owner" role in IAM configuration, and "storage object administrator" in the bucket itself.
However, I keep getting this login error:
com.google.cloud.storage.StorageException: Anonymous caller does not have storage.buckets.get access to the Google Cloud Storage bucket.
at com.google.cloud.storage.StorageException.translate(StorageException.java:118)
at com.google.cloud.storage.spi.v1.HttpStorageRpc.translate(HttpStorageRpc.java:287)
at com.google.cloud.storage.spi.v1.HttpStorageRpc.get(HttpStorageRpc.java:479)
at com.google.cloud.storage.StorageImpl.lambda$get$4(StorageImpl.java:270)
at com.google.api.gax.retrying.DirectRetryingExecutor.submit(DirectRetryingExecutor.java:103)
at com.google.cloud.RetryHelper.run(RetryHelper.java:76)
at com.google.cloud.RetryHelper.runWithRetries(RetryHelper.java:50)
at com.google.cloud.storage.Retrying.run(Retrying.java:54)
at com.google.cloud.storage.StorageImpl.run(StorageImpl.java:1406)
at com.google.cloud.storage.StorageImpl.get(StorageImpl.java:269)
Probably I am missing some configuration or IAM access. Thank you in advance.
Using App Engine (Java) to add custom claims to a user's Firebase token as shown here. I'm using the Application Default Credentials as my project owner account. Running gcloud auth list shows that the correct account is active.
I've configured my Firebase settings in the app as follows:
// Error handling and try/catches omitted
FirebaseOptions options = new FirebaseOptions.Builder()
.setCredentials(GoogleCredentials.getApplicationDefault())
.setProjectId("<my-app>")
.setDatabaseUrl("https://<my-app>.firebaseio.com/")
.build();
FirebaseApp.initializeApp(options);
Once this is set, I use the following code adapted from the example here.
Map<String, Object> claims = new HashMap<>();
claims.put("role", "admin");
fbInstance.setCustomUserClaims(usersFirebaseAccessToken, claims);
This throws the following error:
Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the identitytoolkit.googleapis.com. We recommend that most server applications use service accounts instead. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/.
After seeing this, I reverted to the standard service account approach where instead of GoogleCredentials.getApplicationDefault(), I used ServiceAccountCredentials.fromStream(serviceAccountStream) where serviceAccountStream = new FileInputStream("path-to-service-account-file"). This complained about insufficient privileges despite having the Firebase Admin group in GCP IAM settings. The real issue, though, is that the Identity Toolkit docs here mention that the Identity Toolkit is being replaced by Firebase Authentication, which seemed to be the approach I was originally trying.
I'm interested to know what the error message above means by "end user". This seems to suggest that the GCP SDK is trying to authenticate as the user represented by the Firebase token but I'm almost certain this isn't what it means.
Is there something I'm missing in my Firebase config that's causing the system to think I'm the wrong user?
I would like to have an app deployed in App Engine to display information which are stored in BigQuery or Cloud Storage, but only if the user is authenticated in the webapp AND its permissions as set in IAM allow it.
So far, I can authenticate a user in App Engine through "Google Sign-In" as seen in https://cloud.google.com/appengine/docs/standard/python/oauth/, but those credentials don't seem to relate to those that are set in Cloud IAM.
I've seen how to set credentials for App Engine as a whole though a service account, but that seems to wide.
What I really want is to authenticate users on the web app, and then let IAM decide if those users are allowed to access data or not.
How would you proceed to do that?
Thanks for any help
The authenticating as an end user GCP documentation explains how to limit access to the project's resources using Cloud IAM. It also has a short example about authenticating an end user to call the BigQuery API.
I followed the following documentation by Google to create ML engine and I deployed my online predicator there:
https://cloud.google.com/ml-engine/docs/scikit/quickstart
I know that it's possible to access to the engine by RESTful api as described in below:
https://cloud.google.com/ml-engine/docs/v1/predict-request#request-body
But I want all clients can access the API related to my model without OAuth or any type of authentication. How can I do this?
You can do this by granting modelUser role for that model to allUsers as follows:
gcloud ml-engine models add-iam-policy-binding mymodelname --member allUsers --role roles/ml.modelUser
You have to code your server to do that. You can have your server perform the API calls. Your clients simply access a frontend you designed to provide their parameters and your server makes the actual call. All the quota/charges would be with your API key, but the requests will be done with your Client's parameters.
I want to implement some form of access control for a REST API implemented in App engine. Is it possible to get the list of GAE Applications that a user has permissions to administer or view in the app engine console. Or whether the user has permissions to administer/view the current application.
Note: the Users API does not work for me because this is a rest server called by another google app not a web service called by a user from the browser. OAuth API seems promising but I was unable to find an OAuth scope or rest endpoint for getting GAE related information.
there is no API that can provide a "list of GAE Applications that a user has permissions to administer." Google Cloud Endpoints on App Engine (Trusted Tester program) may be useful for hosting custom RESTful APIs with user authorization may be useful, read more here: http://endpoints-trusted-tester.appspot.com/
There must be an API as the Google Eclipse plugin is using it.
https://developers.google.com/eclipse/docs/signin?hl=de
But it is not documented.