Propagate Original Client IP through Firebase Console Proxy for VPC-SC Enforcement
We are encountering a block when placing our project under VPC Service Controls enforcement. When a user attempts to access the Storage tab in the Firebase Console, it fails with an "Unknown Error" (Audit logs show NOMATCHINGACCESS_LEVEL with an empty clientIp). The Firebase Console currently acts as an internal proxy, routing traffic through Google's internal infrastructure. Because it traverses these internal paths, the end-user's local corporate egress IP is entirely stripped before the API payload reaches the protected Storage endpoint (storage.googleapis.com). We have strict compliance requirements to restrict access solely to trusted corporate network IPs, meaning the standard VPC-SC workaround of allowing all sources (accessLevel: "*") is not an option for us. We request that the Firebase Console backend be configured to extract and propagate the end-user's context. Specifically, the One Platform service configuration should be updated to request google.rpc.context.OriginContext in the context.rules section of the service YAML. This will allow the original client IP to pass through the GFE/proxy so that VPC-SC can accurately evaluate the IP against our perimeter policies.
Anil Kumar Myla
shared this idea