I can't figure it out which role/s do I need to have on one of my client's Google Cloud Platform, to do the following:
- Connect and Manage a Firestore database to their Firebase app.
- Use the Google Cloud Firestore API from an external app.
There are so many roles... Any help? :)
I have already Firebase Analytics Admin but when I tried to access the Firestore through Firebase I get the message "To manage Cloud Firestore, ask a project owner for the necessary permissions".
Thanks!
According to the Firebase product-category predefined roles documentation, the only role that has full read/write access to Cloud Firestore is:
Firebase Develop Admin - roles/firebase.developAdmin
Regarding the access to the API, the app will be able to access it using either a Firebase Authentication ID token or a Google Identity OAuth 2.0 token as per referenced on this documentation.
In order to set up Firebase Auth, this link might be of help and for OAuth check this link.
Related
Till now I was using service account to connect to my Firestore database (Firebase is not enabled) from within Google products like Cloud Functions or Colab.
Now I need to connect to Firestore from html page opened in my browser. Is it possible without enabling Firebase?
Yes, the Google Cloud Firestore NodeJS SDK is meant to be used on server side only. You can use Firebase Web SDK along with Firebase Authentication and Firebase Security Rules to support serverless app architectures where clients connect directly to your Firestore database.
You don't necessarily have to use Firebase Auth. However, it might be a good idea to restrict access and allow only public content to be accessible without authentication.
You can follow the quickstart in the documentation to setup the client SDK.
I have a blaze account on firestore. I'm trying to create a new firestore database and get this message:
"To manage Cloud Firestore, ask a project owner for the necessary permissions"
My roles:
Cloud Storage for Firebase Admin,
Firebase Admin
Firebase Analytics Admin
Firebase Develop Admin
Firebase Rules System
What else should I have?
I'm attaching to 2 images:
firestore page
IAM - my roles
Thank you,
Geanni
The roles you've listed give you read/write access to the various Firebase services, but not the ability to add and remove them entirely from a project - that permission comes from Google Cloud itself.
The basic IAM roles define an Owner role that contains the needed permissions, but this is probably not what you are looking for.
At a more fine-tuned level, you should be able to use roles/datastore.owner to grant the ability to provision a Firestore database (Firestore is a layer on top of Datastore). That should be all you would need, but you might also need to consider roles/appengine.appAdmin too.
Relevant links:
Datastore IAM permissions
Firebase documentation on IAM permissions.
As documented here, you need the follow role:
Firebase Develop Admin - roles/firebase.developAdmin
Permissions recommended for the Cloud Build service account in the official Google documentation and the Firebase CLI community builder docs are insufficient:
In the permissions table, locate the email ending with #cloudbuild.gserviceaccount.com, and click on the pencil icon.
Add Cloud Build Service Account, Firebase Admin and API Keys Admin roles.
I still get the following error in Cloud Build when I do firebase deploy:
Error: HTTP Error: 403, The caller does not have permission
What I've tried is different Firebase IAM roles, Editor, and Owner. So far only the Owner role works. That is way too much privilege for a Cloud Build service account, and violates the least-privilege model.
Everything is in the same Google Cloud project.
Anyone know how to troubleshoot this? Or know which role/permission is missing?
For our project (which uses Firestore, Functions, Hosting, and Storage extensively) here is the list we came up with. Critically I wanted to avoid "Firebase Admin" because I did not want this service account to have access to read/write my Firestore data:
Artifact Registry Administrator
Cloud Build Service Account
Cloud Datastore Index Admin
Cloud Functions Admin
Cloud RuntimeConfig Admin
Cloud Scheduler Admin
Firebase Hosting Admin
Firebase Rules Admin
Pub/Sub Admin
Service Account User
tl;dr seems like it was "an accidental permission expansion" that has been corrected.
I am able restrict the roles to:
Cloud Build Service Account
Firebase Admin
API Keys Admin
I have found the tutorial Using Firebase to authenticate users that explains how to authenticate users with Firebase to access different services.
However I haven't found how to enable Firebase login for the whole Google Cloud Endpoints portal page (like for example https://endpointsportal.ourproject.cloud.goog/).
How can I achieve this?
I think the only identity supported today is GCP meaning Cloud Endpoints Portal doesn't support 3rd party sign in. You can use Firebase to authenticate against the API, but not to log into the portal.
I just deleted my flutter app from firebase console , but it is still working and changing data in the realtime database.
Can anyone tell me how its still connected with the firebase?
Thanks
According to Firebase documentation, when you delete an app:
Corresponding API keys or OAuth clients are NOT deleted. You can clean
up the API keys or OAuth clients in the Google APIs console
credentials page. Deleting these resources will break installed
applications: your users will no longer be able to authenticate or
sign in.
Access to the realtime database is not limited to apps that are registered in the Firebase console. Any code that has the proper configuration for your database, can try to access that database. If you want to be more selective in who can access the database, you will need to do this with Firebase's server-side security rules, typically in combination with Firebase Authentication.