Firestore Security Rules recommender

The Firestore Security Rules recommender supports the following recommendation subtype:

which are security concerns for Firestore customers providing users extra access than the users intend.

This document describes how to enable and view your recommendations and insights to improve the security of your databases.

Before you begin

Before you can view Firestore Firestore Security rules recommendations and insights, do the following:

  1. Enable the Recommender API as described in Enable the API.

  2. Ensure that you have sufficient permissions. You must have one of the following roles, which provide the necessary permissions:

    Task description Role
    View recommendations/insights roles/recommender.firestoredatabasefirebaserulesViewer
    View and update (dismiss) recommendations/insights roles/recommender.firestoredatabasefirebaserulesAdmin
    Opt out of recommendations/insights in Transparency and Control Center. For more information, see Opting out. roles/dataprocessing.admin

    These Recommender roles provide the following API permissions:

    Role Included permissions
    roles/recommender.firestoredatabasefirebaserulesViewer recommender.firestoreDatabaseFirebaseRulesRecommendations.get
    recommender.firestoreDatabaseFirebaseRulesRecommendations.list
    recommender.firestoreDatabaseFirebaseRulesInsights.get
    recommender.firestoreDatabaseFirebaseRulesInsights.list
    roles/recommender.firestoredatabasefirebaserulesAdmin roles/recommender.firestoredatabasefirebaserulesViewer permissions, plus
    recommender.firestoreDatabaseFirebaseRulesRecommendations.update
    recommender.firestoreDatabaseFirebaseRulesInsights.update

    For more information about roles and about granting access, see the following:

You can view Firestore Security rules recommendations only if you have non-empty, in-use databases that have any rules exposed to broad access configured. The project must be at least 30 days old for recommendations to be generated for it.

You can view Firestore Security rules recommendations/insights in different ways:

View recommendations

Google Cloud console

You can view your recommendations by doing following:

Go to the Google Cloud console, or use the following button:

Go to Google Cloud console

Recommendations can be viewed on Recommendation Hub or Database Center page.

  1. Search for Recommendations which will lead to the Recommendation Hub page. You can select specific category of recommendation and view them.

  2. Search for Database Center. You can apply product filter and view the specific fleet issues.

gcloud CLI

To list Firestore Security rules recommendations by using gcloud, run the gcloud recommender recommendations list command as follows:

  gcloud recommender recommendations list \
  --project=PROJECT_ID \
  --location=LOCATION \
  --recommender=google.firestore.database.<var>RECOMMENDER</var>

Replace the following:

  • PROJECT_ID: Your project ID
  • LOCATION: A region, such as us-central1
  • RECOMMENDER: The ID of the recommender as FirebaseRulesRecommender.

Recommender API

To list your Firestore Security rules recommendations by using the Recommendations API, call the recommendations.list method as follows:

  curl -H "Authorization: Bearer $(gcloud auth print-access-token)"  \
  -H "x-goog-user-project: PROJECT_ID" \
  "https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.firestore.database.RECOMMENDER/recommendations"

Replace the following:

  • PROJECT_ID: Your project ID.
  • LOCATION: A region, such as us-central1.
  • RECOMMENDER: The ID of the recommender as FirebaseRulesRecommender.

For more information, see Using the API - Recommendations.

View insights

You can view insights and detailed recommendations about Firestore Security rules in different ways.

gcloud CLI

To view insights by using gcloud, run the gcloud recommender insights list command as follows:

  gcloud recommender insights list \
  --project=PROJECT_ID \
  --location=LOCATION \
  --insight-type=google.firestore.database.INSIGHT_TYPE

Replace the following:

  • PROJECT_ID: Your project ID.
  • LOCATION: A region, such as us-central1.
  • INSIGHT_TYPE: The ID of the insight type as FirebaseRulesInsight.

Recommender API

To list your insights by using the Recommender API, run the following command:

curl -H "Authorization: Bearer $(gcloud auth print-access-token)"  \

"https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.firestore.database.INSIGHT_TYPE/insights"

Replace the following:

  • PROJECT_ID: Your project ID.
  • LOCATION: A region, such as us-central1.
  • INSIGHT_TYPE: The ID of the insight type as FirebaseRulesInsight.

For more information, see Using the API - Insights.

Apply recommendations

For more information about how to improve your database security, see Structure security rules.

Pricing

Firestore Security rules recommendations and insights are available free of charge. For information about other pricing tiers, see Recommender pricing.