How to use the Firebase emulator, Python, and security rules

Question

I am setting up a Firebase project with some security rules, e.g. from my firestore.rules:

match /user_private/{uid} {
  allow read: if request.auth != null && request.auth.uid == uid;
...

I have a Python script that uses the admin SDK which, as far as I can tell, should bypass these rules. I've synced my security rules on prod and Python can read it fine with this script:

  cred = credentials.ApplicationDefault()
  firebase_app = firebase_admin.initialize_app(cred, {
    'projectId': PROJECT_ID,
  })
  db = firestore.client(firebase_app)
  print(
    db.collection('user_private')
    .document('abc123')
    .get()
    .to_dict())

This prints the matching doc correctly.

However, I'd like to be able to use the Firebase emulator for testing. I changed my code to hook up the emulator for Python as described here:

  # ...same as above
  db = firestore.client(firebase_app)

  channel = grpc.insecure_channel('localhost:8080')
  transport = firestore_grpc_transport.FirestoreGrpcTransport(channel=channel)
  db._firestore_api_internal = firestore_client.FirestoreClient(
      transport=transport)

  print(...)

Now when I run the script, it tries to query the emulator and I get:

Traceback (most recent call last):
  File "/.venv/lib/python3.9/site-packages/google/api_core/grpc_helpers.py", line 140, in error_remapped_callable
    return _StreamingResponseIterator(
  File "/.venv/lib/python3.9/site-packages/google/api_core/grpc_helpers.py", line 66, in __init__
    self._stored_first_result = next(self._wrapped)
  File "/.venv/lib/python3.9/site-packages/grpc/_channel.py", line 426, in __next__
    return self._next()
  File "/.venv/lib/python3.9/site-packages/grpc/_channel.py", line 826, in _next
    raise self
grpc._channel._MultiThreadedRendezvous: <_MultiThreadedRendezvous of RPC that terminated with:
    status = StatusCode.PERMISSION_DENIED
    details = "
false for 'get' @ L55"
    debug_error_string = "{"created":"@1661203811.607181000","description":"Error received from peer ipv4:127.0.0.1:8080","file":"src/core/lib/surface/call.cc","file_line":967,"grpc_message":"\nfalse for 'get' @ L55","grpc_status":7}"

(I think permission denied is because the service account isn't "authenticated" in a way the rules expect?)

Is there a way to get the Python SDK to play nicely with the emulator + security rules? Or do I just need to turn off security for local development?

score 0 · Answer 1 · answered Aug 22 '22 at 21:59

0

Well I feel dumb. I tried setting the FIRESTORE_EMULATOR_HOST and GCLOUD_PROJECT environment flag variables as described in the linked question and it works great.

answered Aug 22 '22 at 21:59

kris

23,024
10
70
79

In that case, would it make sense if we close your post as a duplicate of the link you provided? – Frank van Puffelen Aug 23 '22 at 06:19

How to use the Firebase emulator, Python, and security rules

1 Answers1