Need: getDownloadURL on external bucket

We have a Firebase/GCP project and we want to use the getDownloadURL Firebase storage function in Node.js to create a permanent signed URL for an object in a bucket in a different project.

Specifically, we have an asset bucket and we want to generate long-lived (forever) URLs for objects in it, but not make the bucket public otherwise. The asset bucket serves many projects and we want all those projects to all be able to generate URLs against the asset bucket (without having to do anything exotic).

Error: Permission Denied

When we run the getDownloadURL we get the following error:

“Error: Permission denied. Please enable Firebase Storage for your bucket by visiting the Storage tab in the Firebase Console and ensure that you have sufficient permission to properly provision resources.”

The error suggests that we add the bucket to the Firebase project. When we attempt to add a bucket via the Firebase Console we can create or import a bucket, but it’s not clear what “import” means (copy? move bucket across projects? etc), whether it would work across projects. We can’t find any documentation indicating what this does or whether it would help, but it also seems unnecessary/irrelevant to the permissions question (which one would expect to be solved by IAM permissions).

Attempted fixes

We’ve also found some suggestions that we’ve tried:

  1. granted Storage Admin to [email protected] on the bucket
  2. set storage rules to allow-all on the Firebase project
  3. grant Storage Admin on the bucket to the service account that runs the Firebase function

The error gives no useful indication of how to fix this, there’s no apparent documentation on what permissions are needed, and most of the information from Google/etc is outdated or wrong.

Workaround

As a workaround we’ve also considered using long-lived V2 Signed URLs but the documentation specifically says to keep it short-lived, and V4 Signed URLs have an arbitrary 7-day limit, but the getDownloadURL function would appear to be the correct/ideal thing to do here (if it worked).

How can we use getDownloadURL on an object in a bucket outside the GCP project?

Related:

  • https://firebase.google.com/docs/storage/admin/start#shareable_urls
  • https://www.sentinelstand.com/article/guide-to-firebase-storage-download-urls-tokens
  • https://github.com/firebase/firebase-admin-node/issues/1352
  • Get Download URL from file uploaded with Cloud Functions for Firebase
  • /a/76744881/19212

1