Cloud Function Security Rules
Authentication
Cloud Function Security Rules are a permission management system based on user identity, enabling control over function call permissions according to the currently logged-in user's identity. These rules apply to ordinary client-side identity calls, such as callFunction operations from various clients; triggers from the management end, HTTP triggers, and trigger-based invocations are not covered by the security rules.
Authoring Security Rules
Function Security Rules are configured at the environment level, meaning all functions within the environment share a single configuration, and within this configuration, individual function behaviors are controlled through configuration hierarchies.
Like all security rules, the configuration is based on an overall JSON setup, but Cloud Function Security Rules have more configuration layers:
- The top-level key represents the function name, with the special
*acting as a wildcard for all function names. During matching, it prioritizes the specific function name; if no match is found, the configuration for*is used. value contains the sub-configuration of invocation rules for each individual function. - In each sub-configuration, key represents the operation name (currently only
invokeis supported), and value is a boolean value or a security rule expression string, for example:
{
"*": {
"invoke": "auth!=null"
},
"function1": {
"invoke": false
}
}
Limitations
- The top-level configuration of security rules must include an entry with the key
*. - The configuration under each function must include an
invokesetting. - Cloud Function Security Rules currently only support a limited set of three configurations:
true,false, and"auth!=null", representing allow invocation, disallow invocation, and allow invocation when logged in, respectively. By default, it is set to allow invocation when logged in, that is:
{
"*": {
"invoke": "auth != null"
}
}