Search code examples
firebasegoogle-iam

Restricting Default Firebase API Key Restrictions

I've recently added Firebase authentication to my react native app. In the setup process, I set up the API keys for android/iOS to connect to firebase and included those in the app bundle.

By default, firebase allows access to 25 APIs, but some of these seem overly permissive.

Here's the list it grants access to:

  • Firebase Realtime Database Management API
  • Firebase Hosting API
  • Firebase Rules API
  • Cloud SQL Admin API
  • Cloud Datastore API
  • FCM Registration API
  • Firebase Management API
  • Firebase App Check API
  • Firebase App Distribution API
  • Firebase App Hosting API
  • Firebase App Testers API
  • Firebase Data Connect API
  • Firebase Dynamic Links API
  • Firebase In-App Messaging API
  • Firebase Installations API
  • Firebase ML API
  • Firebase Remote Config API
  • Firebase Remote Config Realtime API
  • Cloud Storage for Firebase API
  • Cloud Firestore API
  • Identity Toolkit API
  • Cloud Logging API
  • ML Kit API
  • Mobile Crash Reporting API
  • Token Service API

In particular, the access to CloudSQL Admin API seems dangerous. I'd like to restrict the available APIs that seem unnecessary, but another SO post indicates that it may cause unexpected errors.

Anyone with more experience have any recommendations? Should I just not worry about it?

Solution

  • The Firebase FAQ contains this relevant question:

    Which APIs are required in the "API restrictions" allowlist for a Firebase API key?

    I recommend clicking the link, but from there it seems that these are the API/service names required for Authentication:

    • firebase.googleapis.com
    • logging.googleapis.com
    • identitytoolkit.googleapis.com
    • securetoken.googleapis.com

    So I'd recommend starting with just these and testing if your app still works.