Firebase Rules recommender

The Firebase Rules recommender supports the following recommendation subtypes:

which are security concerns for Firestore customers providing users extra access than the users intend to or a certain policy is getting close to its expiration time, and user's authorization policy will change soon.

This document describes how to enable and view your recommendations and insights to improve the security of your databases.

Before you begin

Before you can view Firestore Firebase rules recommendations and insights, do the following:

  1. Enable the Recommender API as described in Enable the API.

  2. Ensure that you have sufficient permissions. You must have one of the following roles, which provide the necessary permissions:

    Task description Role
    View recommendations/insights roles/recommender.firestoredatabasefirebaserulesViewer
    View and update (dismiss) recommendations/insights roles/recommender.firestoredatabasefirebaserulesAdmin
    Opt out of recommendations/insights in Transparency and Control Center. For more information, see Opting out. roles/dataprocessing.admin

    These Recommender roles provide the following API permissions:

    Role Included permissions
    roles/recommender.firestoredatabasefirebaserulesViewer recommender.firestoreDatabaseFirebaseRulesRecommendations.get
    recommender.firestoreDatabaseFirebaseRulesRecommendations.list
    recommender.firestoreDatabaseFirebaseRulesInsights.get
    recommender.firestoreDatabaseFirebaseRulesInsights.list
    roles/recommender.firestoredatabasefirebaserulesAdmin roles/recommender.firestoredatabasefirebaserulesViewer permissions, plus
    recommender.firestoreDatabaseFirebaseRulesRecommendations.update
    recommender.firestoreDatabaseFirebaseRulesInsights.update

    For more information about roles and about granting access, see the following:

View recommendations

You can list Firebase rules recommendations in different ways.

You can view Firebase rules recommendations only if you have non-empty, in-use databases that have any insecure or expiring Firebase rules configured.

Google Cloud console

You can view your recommendations by doing following:

  1. Go to the Google Cloud console, or use the following button:

    Go to Google Cloud console

  2. Search for Database Center page.

gcloud CLI

To list Firebase rules recommendations by using gcloud, run the gcloud recommender recommendations list command as follows:

  gcloud recommender recommendations list \
  --project=PROJECT_ID \
  --location=global \
  --recommender=google.firestore.database.<var>RECOMMENDER</var>

Replace the following:

  • PROJECT_ID: Your project ID
  • RECOMMENDER: The ID of the recommender as FirebaseRulesRecommender.

Recommender API

To list your Firebase rules recommendations by using the Recommendations API, call the recommendations.list method as follows:

  curl -H "Authorization: Bearer $(gcloud auth print-access-token)"  \
  -H "x-goog-user-project: PROJECT_ID" \
  "https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/global/recommenders/google.firestore.database.RECOMMENDER/recommendations"

Replace the following:

  • PROJECT_ID: Your project ID.
  • RECOMMENDER: The ID of the recommender as FirebaseRulesRecommender.

For more information, see Using the API - Recommendations.

View insights

You can view insights and detailed recommendations about Firebase rules in different ways.

Google Cloud console

To view insights and detailed recommendations by using the Google Cloud console, search for recommendation in the database center tab.

gcloud CLI

To view insights by using gcloud, run the gcloud recommender insights list command as follows:

  gcloud recommender insights list \
  --project=PROJECT_ID \
  --location=global \
  --insight-type=google.firestore.database.INSIGHT_TYPE

Replace the following:

  • PROJECT_ID: Your project ID.
  • INSIGHT_TYPE: The ID of the insight type as FirebaseRulesInsight.

Recommender API

To list your insights by using the Recommender API, run the following command:

curl -H "Authorization: Bearer $(gcloud auth print-access-token)"  \

"https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/global/insightTypes/google.firestore.database.INSIGHT_TYPE/insights"

Replace the following:

  • PROJECT_ID: Your project ID.
  • INSIGHT_TYPE: The ID of the insight type as FirebaseRulesInsight.

For more information, see Using the API - Insights.

Apply recommendations

For more information about how to improve your database security, see Structure security rules.

Pricing

Firebase rules recommendations and insights are available free of charge. For information about other pricing tiers, see Recommender pricing.