Skip to content

Narrow the Firestore Admin SDK credential — per-database SA scoping

Goal

Defense-in-depth: today firebase-adminsdk-fbsvc@aote-pms has project-scope Firestore access (datastore.owner) so server admin paths can read/write ALL databases. Narrow this so a compromised/loose admin path can't cross subsidiary DBs — e.g. issue a separately-scoped SA per named DB (datastore.owner on the specific DB only) for the admin paths that need it, or push hardening to the client-SDK + Rules layer (T-022 / T-025) and keep the admin cred deliberately broad.

Context (SA agent, 2026-06-13)

  • Entirely mine; orthogonal to the SA audit (they retire service@, not the firebase-adminsdk cred). No timeline coupling.
  • If I MINT a new SA here, record it in memory project_sa_audit_aote_pms so the audit's live-state inventory stays accurate (their explicit ask).
  • Reality check: only tebs-erl is a real subsidiary DB today (MEL/EPL not incorporated), so per-DB scoping mostly future-proofs; low urgency. Optional / lower priority.

Log

  • 2026-06-13 created (split out of T-022 per the SA-coordination answers).