Validate Firebase with rules when data is written by firebase-admin

Question

From what I understand, the default account used with admin.initializeApp() has Editor privilege, which seems to disregard all validation and permission rules

Am I missing something? It seems non-sensical to have the default service account (i.e. server processes writing to Firebase) bypass rules altogether when writing to Firebase. Especially since this the documented way in the samples & in the docs, and that the rules simulator gives zero indication that these rules will not be enforced on certain accounts

My context is a Cloud Function that push something back to Firebase, and I want to be able to validate it with .validate

Answer 1

As you've already discovered the Firebase Admin SDK runs with administrative privileges, which bypasses all security rules. From the documentation on getting started with the Firebase Admin SDK:

The Admin SDK lets you interact with Firebase from privileged environments to perform actions like:

• Read and write Realtime Database data with full admin privileges.

The logic here is that your code that uses the Admin SDK runs in a trusted environment, where you can trust that the code is what you wrote and thus works according to your specification.

It isn't currently possible to use the Admin SDK while also enforcing security rules. I suggest you file a feature request.

Note that what you want is possible with the realtime database, as shown in Authenticate with limited privileges.

For Firestore you can control some of the access within the Cloud Identity and Access Management console. See the documentation on securing your data.