Search code examples
firebasegoogle-cloud-platformgoogle-cloud-storagefirebase-storageservice-accounts

unable to access bucket object from some regions

I've noticed that around 23 August 9PM GMT+03:00 get object requests to a bucket originating from Asia or South America started failing with the error message below.

{
  "error": {
    "code": 403,
    "message": "Permission denied."
  }
}

I made public read/write allowing firebase storage security rules to a specific object path for testing purposes so that cannot be the culprit. I'm currently in EU region and everything works fine but if I enable a VPN and do Asia region I won't be allowed access, even if I attempt to access through an EU VPN location everything will work fine.

I use firebase client SDK version 9.6.11, and also interestingly I don't receive the permission error for uploadCalls. It is specific to getMetadata or getDownloadUrl [1] calls.

[1] https://firebase.google.com/docs/storage/web/download-files#download_data_via_url

Below is the code that'll fail with permission denied error if request comes through the regions I've mentioned, after a lot of digging I figured that this only fails if the object in question has custom metadata set.

// firebase client sdk
const storageRef = storage.ref(queryPath);
const url = await storageRef.getDownloadURL()

// this block is executed through firebase admin sdk
const metadataObject = {
  metadata: {
    fileTimestamp: Date.now(),
    // and few other fiels
  }
}
bucket.file(`queryPath`).setMetadata(metadataObject)

Again to reiterate, an object having a custom metadata set won't cause any issues if frontend storage SDK get request is from a user in Europe or North America. If I setMetadata as null, all requests will be allowed once again which was incredibly odd behavior to me.

Solution

  • Apparently this was caused by an issue on GCP's end. This was what google cloud dev support followed up with. I've been still experiencing this issue intermittently but way less frequently.

    I have contacted the Firebase Engineering team regarding the issue and have an update from the product team informing that they completed a rollback in Firebase Storage, could you please confirm if the issues with 403's still persist?