Firebase storage rules: Support for multi-database lookup
This is a documented limitation and as such not an idea, but putting it out here to see if it get vote-traction. See the warning at the bottom of the page here:
https://firebase.google.com/docs/storage/security/rules-conditions
As of Feb. 25. 2025 it says
"Warning: Storage Rules can only access documents from the default Cloud Firestore database when multiple databases are active."
We have a project where we're doing tenant partitioning in both Firestore and firebase storage. The primary reason for creating separate buckets and databases is to be able to have storage in different customer preferred regions, and to achieve other isolations which are beneficial (backup/restore recovery scenarios etc.).
Most files in firebase storage are protected by security rules that look up a document from the firestore database and checks access using a fairly standard acl scheme.
This does not work unfortunately in a multi-db setup, which prevent this type of acl based storage security rules.
I've not found any workarounds except an approach there the storage object Ids are long unique Ids that can't be "guessed" or brute force generated to look up an object in storage, but this is not as clean as being able to explicitly check access rights (and other logic on top of that using the rules language).
The fact that it works in single/default db makes it feel like a significant takeback that the security design has the by changed when introducing multiple databases to the project.
I think this is a common case for solutions doing tenant separation where there is a need to have objects in storage protected by acls.
-
maia Veliz commented
Ui