I have a blaze account on firestore. I'm trying to create a new firestore database and get this message:
"To manage Cloud Firestore, ask a project owner for the necessary permissions"
My roles:
Cloud Storage for Firebase Admin,
Firebase Admin
Firebase Analytics Admin
Firebase Develop Admin
Firebase Rules System
What else should I have?
I'm attaching to 2 images:
firestore page
IAM - my roles
Thank you,
Geanni
The roles you've listed give you read/write access to the various Firebase services, but not the ability to add and remove them entirely from a project - that permission comes from Google Cloud itself.
The basic IAM roles define an Owner role that contains the needed permissions, but this is probably not what you are looking for.
At a more fine-tuned level, you should be able to use roles/datastore.owner to grant the ability to provision a Firestore database (Firestore is a layer on top of Datastore). That should be all you would need, but you might also need to consider roles/appengine.appAdmin too.
Relevant links:
Datastore IAM permissions
Firebase documentation on IAM permissions.
As documented here, you need the follow role:
Firebase Develop Admin - roles/firebase.developAdmin
Related
The project owner and I were struggling to give me access to Firestore and Firebase Storage when we finally get it to work by assigning me custom roles:
Firebase Develop Admin
Firebase Grow Admin
Firebase Viewer
It worked last night but I haven't done anything yet since it was getting late. This morning I still have the roles but I can't create a Firestore database or access Storage anymore. How do I fix this?
Permissions recommended for the Cloud Build service account in the official Google documentation and the Firebase CLI community builder docs are insufficient:
In the permissions table, locate the email ending with #cloudbuild.gserviceaccount.com, and click on the pencil icon.
Add Cloud Build Service Account, Firebase Admin and API Keys Admin roles.
I still get the following error in Cloud Build when I do firebase deploy:
Error: HTTP Error: 403, The caller does not have permission
What I've tried is different Firebase IAM roles, Editor, and Owner. So far only the Owner role works. That is way too much privilege for a Cloud Build service account, and violates the least-privilege model.
Everything is in the same Google Cloud project.
Anyone know how to troubleshoot this? Or know which role/permission is missing?
For our project (which uses Firestore, Functions, Hosting, and Storage extensively) here is the list we came up with. Critically I wanted to avoid "Firebase Admin" because I did not want this service account to have access to read/write my Firestore data:
Artifact Registry Administrator
Cloud Build Service Account
Cloud Datastore Index Admin
Cloud Functions Admin
Cloud RuntimeConfig Admin
Cloud Scheduler Admin
Firebase Hosting Admin
Firebase Rules Admin
Pub/Sub Admin
Service Account User
tl;dr seems like it was "an accidental permission expansion" that has been corrected.
I am able restrict the roles to:
Cloud Build Service Account
Firebase Admin
API Keys Admin
I am new to firebase and I have developed an app which can save documents. I want to assign a role to my team member who can view "Real-Time Data" but not the "Storage" as few files are confidential. The team mate should not have access to view storage files in firebase.
Can I do this by adding rules in firebase? If yes, how?
If I cannot do this, what is the alternate?
Within the Firebase console you can assign these broad roles to the collaborators on a project:
As you can see, Database and Storage are in the same role here, so you can't assign different permissions for them.
Luckily you can also define a custom role in the Cloud console, which allows you fine grained control over what a collaborator can do.
You'll want to read the documentation on granting, changing and revoking access in the Cloud documentation, and then build a role that has the necessary Firebase product-level predefined roles. Since you want the collaborator to only have access to Realtime Database, you'll need one of these:
Role: Firebase Realtime Database Admin
roles/firebasedatabase.admin
Description: Full read/write access to
Realtime Database resources
Realtime Database Admin permissions:
firebasedatabase.instances.create
firebasedatabase.instances.get
firebasedatabase.instances.list
firebasedatabase.instances.update
Role: Firebase Realtime Database Viewer
roles/firebasedatabase.viewer
Description: Read-only access to Realtime Database resources
Realtime Database Viewer permissions:
firebasedatabase.instances.get
firebasedatabase.instances.list
I can't figure it out which role/s do I need to have on one of my client's Google Cloud Platform, to do the following:
- Connect and Manage a Firestore database to their Firebase app.
- Use the Google Cloud Firestore API from an external app.
There are so many roles... Any help? :)
I have already Firebase Analytics Admin but when I tried to access the Firestore through Firebase I get the message "To manage Cloud Firestore, ask a project owner for the necessary permissions".
Thanks!
According to the Firebase product-category predefined roles documentation, the only role that has full read/write access to Cloud Firestore is:
Firebase Develop Admin - roles/firebase.developAdmin
Regarding the access to the API, the app will be able to access it using either a Firebase Authentication ID token or a Google Identity OAuth 2.0 token as per referenced on this documentation.
In order to set up Firebase Auth, this link might be of help and for OAuth check this link.
I want to add firebase cloud storage security rules so that my file can be access by set of people's. List of people's are in my firebase database.
Can anyone help me please?
There is no way to access the Firebase Database from your Cloud Storage for Firebase security rules. You will have to set the information into the token for each user, and then access that in your storage rules.
Also see:
Restrict firebase database and storage write access to a specific group
is there a way to authenticate user role in firebase storage rules?
Create group access to firebase storage without using custom authorization
Some of these show embedding the UIDs in the security rules, which used to be the only way to do this. But nowadays you should probably user custom claims for this, as shown in Bojeil's answer to the first question above.