{bucket}
clause indicates that these rules apply to all Cloud Storage buckets on the project/user/{userId}/path/to/file.txt
read
and write
. That's it. This is a break from Cloud Firestore which supports other sub-types. In this case you're either reading or writing.{someWildcard=**}
syntax when you want your rules to cascade; otherwise, they won't apply to nested folders./user/uploads/{userId}/uploaded-file.jpg
but can only read from /user/thumbnails/{userId}/thumbnail.jpg
.request
object that represents that incoming request. You'll be using the request
object for most rule conditions.request.auth.uid
and request.auth.token
, which contains the user's JWT.resource
object. In Firestore this object refers to the pre-write state of the document, but in Firebase Storage this is the object being uploaded, downloaded, modified or deleted.resource
object that you may find handy: