I have a Firebase Realtime Database that I connect to from my Java application using the Admin SDK. In my project I have multiple databases, but for administrative reasons, I want to create separate service accounts for each one. In other words, I want the service account to have full database access, but only to one particular database.
I was hoping this could be done through Google Cloud IAM but I am having trouble finding how. I tried adding giving the service account "Firebase Realtime Database Admin" permission but with a condition of Name = //mydbname.firebaseio.com but that doesn't work. That is, my Java backend is not able to connect to the database with that condition in place.
Am I on the right track, just using the wrong name? Is there a better way to do this? Thanks.
firebaser here
There currently is no way to do control access per database instance through IAM. It sounds like a reasonable feature though, so I recommend filing a feature request for it.
The best I can think of for now is to authenticate with limited privileges when you initialize the Admin SDK and then check that identity in the security rules of each instance, but that means that the code could also choose to not pass a UID, which may be exactly what you're trying to avoid.