Firebase Security Rules for Cloud Storage Reference

Firebase Security Rules for Cloud Storage are used to determine who has read and write access to files stored in Cloud Storage, as well as how files are structured and what metadata they contain. Storage Security Rules are composed of rules that consider the request and resource to allow or deny a desired action, such as uploading a file or retrieving file metadata. These reference docs cover the types of rules, the properties of a request and a resource, the data types used by Storage Security Rules, and how errors occur.

Rule

A rule is an expression that is evaluated to determine if a request is allowed to perform a desired action.

Types

Allow

allow rules consist of a method, such as read or write, as well as an optional condition. When a rule is executed, the condition is evaluated, and if the condition evaluates to true, the desired method is allowed; otherwise, the method is denied. An allow rule with no condition always allows the desired method.

// Always allow method
allow <method>;

// Allow method if condition is true
allow <method>: if <condition>;

Currently, allow is the only supported type of rule.

Request Methods

Read

The read method covers all requests where file data or metadata is read, including file downloads and file metadata reads.

// Always allow reads
allow read;

// Allow reads if condition evaluates to true
allow read: if <condition>;

Write

The write method covers all requests where file data or metadata is written, including file uploads, file deletes, and file metadata updates.

// Always allow writes
allow write;

// Allow writes if condition evaluates to true
allow write: if <condition>;

Match

Rules are executed when a user request (such as a file upload or download) matches a file path covered by a rule. A match consists of a path and a body, which must contain at least one allow rule. If no path is matched, the request is rejected.

You can match a fully named path, or you can insert wildcards to match all paths that fit a certain pattern.

Path Segments

single_segment

You can use single path segments to create a rule that matches a file stored in Cloud Storage.

// Allow read at "path" if condition evaluates to true
match /path {
  allow read: if <condition>;
}

Multiple path segments and nested paths are also allowed:

// Allow read at "path/to/object" if condition evaluates to true
match /path {
  match /to {
    match /object {
      allow read: if <condition>;
    }
  }
}

{single_segment_wildcard}

If you want to apply a rule to multiple files at the same path, you can use a wildcard path segment to match all files at a certain path. A wildcard variable is declared in a path by wrapping a variable in curly braces: {variable}. This variable is accessible within the match statement as a string.

// Allow read at any path "/*", if condition evaluates to true
match /{single_path} {
  // Matches "path", "to", or "object" but not "path/to/object"
  allow read: if <condition>;
}

Multiple path segments and nested paths may also have wildcards:

// Allow read at any path "/path/*/newPath/*", if condition evaluates to true
match /path/{first_wildcard} {
  match /newPath/{second_wildcard} {
    // Matches "path/to/newPath/newObject" or "path/from/newPath/oldObject"
    allow read: if <condition>;
  }
}

{multi_segment_wildcard=**}

If you want to match any number of path segments at or below a path, you can use a multi segment wildcard, which will match all requests to and below the location. This can be useful for providing a user their own free form storage space, or creating rules that match many different path segments (such as creating a publicly readable set of files, or requiring authentication for all writes).

A multi segment wildcard path is declared similarly to a single segment wildcard, with the addition of the =** at the end of the variable: {variable=**}. A multi-segment wildcard variable is available within the match statement as a path object.

// Allow read at any path "/**", if condition evaluates to true
match /{multi_path=**} {
  // Matches anything at or below this, from "path", "path/to", "path/to/object", ...
  allow read: if <condition>;
}

Request

The request variable is provided within a condition to represent the request being made at that path. The request variable has a number of properties which can be used to decide whether to allow the incoming request.

Properties

auth

When an authenticated user performs a request against Cloud Storage, the auth variable is populated with the user's