The project owner and I were struggling to give me access to Firestore and Firebase Storage when we finally get it to work by assigning me custom roles:
Firebase Develop Admin
Firebase Grow Admin
Firebase Viewer
It worked last night but I haven't done anything yet since it was getting late. This morning I still have the roles but I can't create a Firestore database or access Storage anymore. How do I fix this?
Related
A project that we are building uses the Google cloud identity toolkit multi-tenant feature. We have two tenants that we are actively using. We interact with all of this through Firebase's authentication suite.
I've noticed that when using this the user accounts do not show up in Firestore's UI anymore. The same goes for the local emulator.
I know the user has been created because when I log in I get back the correct uid matching the user profile created in firestore that I can see in the local emulator.
I'd like to know if anyone can help me with one of the following:
Is there a way to manage the users created for a multi-tenant setup through the emulator?
Is there a way for me to use gcloud cli locally to manage the users that I have created locally?
Good news! The updated version of the emulator will show you tenants. Once you run the emulator, attempt to login as a user through a tenant, and your "auth" page will magically get a "Tenant" dropdown.
Bad news! The non-default-tenant users don't seem to persist by any export method I have discovered so far.
As for seeing those users in the firebase console, it's pretty easy, but an extra step. Under "authentication" in the firebase console, you should see a tenant dropdown.
If you open that, there will be a link "Other tenants can be managed in the Google Cloud Console". Click it, then click "users" on the left. Finally choose your tenant in the "Tenant" dropdown.
I have a blaze account on firestore. I'm trying to create a new firestore database and get this message:
"To manage Cloud Firestore, ask a project owner for the necessary permissions"
My roles:
Cloud Storage for Firebase Admin,
Firebase Admin
Firebase Analytics Admin
Firebase Develop Admin
Firebase Rules System
What else should I have?
I'm attaching to 2 images:
firestore page
IAM - my roles
Thank you,
Geanni
The roles you've listed give you read/write access to the various Firebase services, but not the ability to add and remove them entirely from a project - that permission comes from Google Cloud itself.
The basic IAM roles define an Owner role that contains the needed permissions, but this is probably not what you are looking for.
At a more fine-tuned level, you should be able to use roles/datastore.owner to grant the ability to provision a Firestore database (Firestore is a layer on top of Datastore). That should be all you would need, but you might also need to consider roles/appengine.appAdmin too.
Relevant links:
Datastore IAM permissions
Firebase documentation on IAM permissions.
As documented here, you need the follow role:
Firebase Develop Admin - roles/firebase.developAdmin
We gave 10 users to access our firebase console. Someone delete our main collection in firestore.
Is there a way to find out which user removes it from these 10 users?
firebaser here
There currently is no way to find out which collaborator on the project or which Authentication user deleted the collection from Firestore. The feature has been considered though, so I recommend you file a feature request to chime in.
you should never give access for users to your firebase console only developers and app owners should be allowed to access it. but if you want to track users activity you can use Firebase analytics event logging.Events are triggered when users take actions in your app for more informationFirebase analytics event logging
I am building a PWA (Web-App) and would like my client to be able to enter data such as new events into the Cloud Firestore, without me having to create a UI (ie. using the Firebase Console with permissions to only edit a collection).
It would also be alright to just grant permission to the whole Firestore for this user (as it's his data). I'm thinking of something like phpMyAdmin.
Would the user need a gmail-Account? I found something in the Project Settings (Users and Permissions - IAM).
Unfortunately this isn't possible in the Firebase or Google Cloud console. A user either has edit permission on Firestore as a whole, or they don't.
The console is focused on developers, and not a great fit for the type of use-case you're describing. The most common approach to such a use-case is to write a custom admin app for these users. If you don't feel like that, look at some of the existing admin panels or content management systems that build on top of Firebase out there.
Because of GDPR we are trying to limit access for the developers to production data, but the developers need access to Crashlytics. I have tried to add the roles specified in https://stackoverflow.com/a/50585767/328864:
Firebase Crash Symbol Uploader
Error Reporting User
Error Reporting Viewer
Error Writer
..but it doesn't work, the page only says The project XXXX either does not exist, or XXXX doesn't have permission to view it.. I have also tried to add a bunch of other roles, like Error Reporting Admin, Monitoring Admin etc, but it doesn't make any difference. The only role that seems to work is Project - Viewer, but that also gives read access to the entire database.
Is there a role or combination of roles that gives access to only Firebase Crashlytics?
Have you tried adding one of the Firebase Quality predefined roles?
I followed the post you referenced to grant access for my Viewer members and it didn't work. Only after adding Firebase Quality Admin role did the users get access. I didn't try the Firebase Quality Viewer role because I wanted those members to be able to link app from Fabric.
I realize this may not be what you want as this will provide access to the other Quality services, but just want to throw it out there as an option.