I have a firebase project and want to secure my firebase storage and only want to grant access to my firebase project users defined in https://console.firebase.google.com/u/0/project/<my-project>/settings/iam. I couldn't find a rule for that specific scenario.
With allow read, write: if request.auth != null; the google signup for my webapp was available for all google users and I didn't have a restriction on firebase project users.
Firebase security rules does not work with GCP IAM identities at all. It only offers ways to control access based on Firebase Authentication user identity, and only when the user is using an app that's built with the web or mobile SDKs. request.auth only ever contains information about Firebase Auth users.