Custom domain name with SSL on Firebase Storage

Question

I was able to get a custom domain name mapped to my Firebase Storage bucket by simply naming the bucket the same name as my domain name and then pointing the CNAME record to c.storage.googleapis.com. However, https doesn't work because the common name on the certificate is different. Is it possible for me to upload a certificate or, even better, have GCP or Firebase manage a certificate?

Answer 1

I'm coming a bit late to the party and this question might have been answered elsewhere. However, since this was the first result I found when googling for this feature, here goes nothing:

For starters, let's say you have a CNAME like assets.somedomain.com pointing to c.storage.googleapis.com, and you create a bucket called assets.somedomain.com.

Then you upload a file, whose public url will look like:

https://firebasestorage.googleapis.com/v0/b/assets.somedomain.com/o/arduino.png?alt=media&token=asdf

Which can be seen as:

firebasestorage.googleapis.com/v0/b/  
+
assets.somedomain.com
+
/o/
+
arduino.png?alt=media&token=asdf

You should be able to view said file using:

https://assets.somedomain.com/arduino.png?alt=media&token=asdf

Which is

assets.somedomain.com/
+
arduino.png?alt=media&token=asdf

(basically, you strip the original base URL and the /o/ prefix)

But of course you get a big fat warning telling you the certificate is invalid, because it's meant for *.storage.googleapis.com.

In my case, I was able to circumvent this using cloudflare's universal SSL, which acts like a proxy that asks no questions whatsoever.

You try again, but somewhere in the middle the request becomes anonymous and you get an XML stating that you lack the storage.objects.get permission.

<Error>
    <Code>AccessDenied</Code>
    <Message>Access denied.</Message>
    <Details>
        Anonymous users does not have storage.objects.get access to object.
    </Details>
</Error>

This means that even with the token included in the query string the proxyed request has no permission. Next step, then, is to make the bucket publicly readable in Google Cloud Console -> Storage.

(This can be done using gcloud cli, but I found this method easier to explain)

Pay attention to use the legacy object reader permission, which stops visitors from actually listing the bucket contents.

After that, you should be able to access the image using:

https://assets.somedomain.com/arduino.png

Note that you don't even need to include "alt=media" because cloudflare will serve the file instead of its metadata.