Can I Use Cloud Functions Invoker Role With Firebase Functions?

I have a Cloud Function that should only be invoked by a GKE cluster I'm also hosting. I'd also like to use Firebase Hosting to make a nice url. If I set up the Cloud Function Invoker role on that function to only allow the service account set up on that GKE cluster, will Firebase Hosting proxy that service account and thus still limit access to the Function to only the Invoker role? Or would I need to use something like Cloud Endpoints to achieve that?

If it's not supported with Firebase Hosting, can I still use the Firebase CLI to at least deploy the function and maintain the Invoker role set up? That is, will Firebase reset the Invoker role to allow All Users each time I deploy the Function?

I could test all this to determine the behavior, but I thought I'd ask the question first in case there's a better approach.



Firebase Hosting URLs are always public and Cloud Functions are proxied via public HTTP. You won't be able to restrict access to a function without Hosting also being unable to access it.

You should be able to restrict access to an HTTP function deployed by Firebase by:

  1. Deploy it (it will be public for a brief time)
  2. Modify the IAM for the function from the Google Cloud console

Redeploying the function via Firebase CLI shouldn't change any existing invoker roles (I haven't tried this, but it should work).