Firebase storage access rules have private cache control

Question

I'm trying to add a Cloud CDN to my firebase storage bucket and I'm running into issues with the images being served by my bucket having a cache-control.

I have the following very broad firebase rule:

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read: if true;
    }
  }
}

Which I expect would allow all objects in my firebase bucket to be visible. My bucket is located at gs://lookieloo-app.appspot.com. I have a file which exists at /user-videos/test1.png.

I've set up a Cloud CDN to point to this bucket with the following details:

Note that the CDN is set up to cache static content.

My load balancer seems to be functioning well:

and my load balancer has the following IP addresses:

I expect that visiting http://35.190.28.68/user-videos/test1.png would result in the image being correctly loaded but instead I see that access is denied:

However, I find that if I manually edit the file permissions in Google Cloud Storage to have public access

then the image loads from the load balancer as expected (note the URL is the same as an earlier screenshot):

Interestingly, if I load the file from the firebase URL at https://firebasestorage.googleapis.com/v0/b/lookieloo-app.appspot.com/o/user-videos%2Ftest1.png and inspect the network response I see that the cache-control header has a value of private

How can I use Firebase Storage rules to make content in a specified folder publicly accessible such that it can be served by Cloud CDN?

Load balancing and Cloud CDN seems to be set up properly. Do you want GCP CDN to cache content that is accessed through Firebase URL/Download URLs. I do not believe that is possible because that is not the behavior of caching. Please check this document about [Cacheable content](https://cloud.google.com/cdn/docs/caching#cacheability). — salvinojr, Aug 15 '22 at 05:31
No, I'd like Cloud CDN to cache content accessed through the loadbalancer IP address like in http://35.190.28.68/user-videos/test1.png but that doesn't seem possible without marking the object as publicly accessible. — Paymahn Moghadasian, Aug 15 '22 at 17:45
Enabling [Cloud CDN](https://cloud.google.com/cdn/docs/overview) is used to serve content closer to users to accelerate your website and application but it won’t bypass the permission in Google Cloud Storage. You need to [Make all objects in a bucket publicly readable](https://cloud.google.com/storage/docs/access-control/making-data-public#buckets) first. — salvinojr, Aug 16 '22 at 05:30
Right, so the firebase rules I showed above with broad read permissions isn't enough - the object has to be "public" from the perspective of the storage bucket as well. Is that correct? — Paymahn Moghadasian, Aug 16 '22 at 15:39

score 1 · Answer 1 · answered Aug 19 '22 at 00:28

Explained that Cloud CDN will serve content closer to users, which accelerates the websites and applications but it won’t bypass the permission in Google Cloud Storage. In order for Caching to work, make sure to Make all objects in a bucket publicly readable and it should meet the requirement for Cacheable content.

score 1 · Accepted Answer · edited Jul 07 '23 at 00:00

1

The solution I found is to make two separate buckets - one for storing private objects and one for storing public objects. I then pointed my Cloud CDN load balancer to the bucket for public objects and marked that bucket as publicly accessible.

Unfortunately, there's no way to mark specific objects as publicly accessible using the firebase storage rules system.

But there is a way to use the command line to set the access control list

It is at an object level

I ran

gsutil acl ch -r -u AllUsers:R gs://BUCKET-HERE.appspot.com

and this updated all the objects but you could run it for only some of the objects.

edited Jul 07 '23 at 00:00

Community

1
1

answered Aug 19 '22 at 20:11

Paymahn Moghadasian

9,301
13
56
94

I added this to the solution. But there is a way to use the command line to set the access control list It is at an object level I ran ``` gsutil acl ch -r -u AllUsers:R gs://BUCKET-HERE.appspot.com ``` and this updated all the objects but you could run it for only some of the objects. – Ralph Yozzo Jul 05 '23 at 00:55

score 0 · Answer 3 · answered Jul 10 '23 at 13:36

It seems the review process takes a while so I'm adding to the answer here:

But there is a way to use the command line to set the access control list

It is at an object level

I ran

gsutil acl ch -r -u AllUsers:R gs://BUCKET-HERE.appspot.com

(of course, replace the BUCKET-HERE with your bucket name)

and this updated all the objects but you could run it for only some of the objects.

Also the gsutil tool is smart enough to only update privileges when they change.

Firebase storage access rules have private cache control

3 Answers3