Give a role access to a function without giving it read access to the whole collection

I want to create a function to fetch a document by ID (and some related data). I want to be able to call this function from the browser (public) without giving public access to any other data.
If the browser user does not know the ID of a document, nothing can be fetched at all. Similar to how unlisted Youtube videos work.
I tried creating a role with a “Call” permission to my function. This does not work, because I also need to give Read permissions to the whole Collection to be able to call my index.
But this gives that role access to the whole collection. Which I definitely do not want.
How can this be achieved?
Everything inside the function should work. Everything outside should be a NO go.

For now I am wrapping this function in a serverless function

1 Like

Hi @rova please refer to this blog post