Firebase Realtime Database write only permission
I need a service account for a python script to authenticate to my firebase project. This service account should only have the right to write to a specific branch but not read, update or even delete anything else. The predefined roles (editor, owner) have too many permissions so I read the google IAM documentation and created a custom profile. If I get it right,
firebasedatabase.instances.update
is needed to have write access to the database.
In the security rules I can specify it's rights to read and write in specific branches but with the above permission comes also the access to my security rules:
Is this really the only way to only grant write access to my realtime database or is here another way? Allowing to modify security rules in combination with read and write access doesn't make much sense to me.
By default, access with a service account bypasses the Firebase security rules. So it either has access to the entire database, or to none of the database.
You can initialize the Admin SDK to authenticate with limited privileges, which basically means that you specify the exact user profile in your code, and then can check for that in the security rules. Check the link for both the Python code and security rules.