Connect to Cloud Firestore in DataStore mode from Java

Question

I'm migrating a Java microservice running on App Engine from DataStore to Cloud Firestore in Datastore mode and having problems connecting to the new database. I find the documentation confusing, but am working on the following basis ( quoted from this )

Setting database permissions By default, your app has all the permissions required to read and write to Datastore mode and Firestore databases in your Google Cloud project.

To manage these permissions, each App Engine app uses a default service account that gives full read and write access to Datastore mode and Firestore databases in the same project as the app. You can change the permissions of the default service account, but your app may lose access unless you assign an IAM role with the required permissions.

I found the default service account in IAM and generated the key and used the following code to initialise the FirebaseApp

    InputStream serviceAccount = this.getClass().getResourceAsStream("/toolbox-firebase-adminsdk-jbx2a-31651a7510.json");

    try {
        FirebaseOptions options = new FirebaseOptions.Builder()
                .setCredentials(GoogleCredentials.fromStream(serviceAccount))
                .setDatabaseUrl("https://toolbox.firebaseio.com")
                .build();
        FirebaseApp.initializeApp(options);

    } catch (IOException e) {
        throw new RuntimeException(e);
    }

This code seems to execute properly, but when I try to access the database I get the following permissions error

> INFO] GCLOUD: com.google.cloud.datastore.DatastoreException: Missing
> or insufficient permissions. [INFO] GCLOUD:   at
> com.google.cloud.datastore.spi.v1.HttpDatastoreRpc.translate(HttpDatastoreRpc.java:128)
> [INFO] GCLOUD:    at
> com.google.cloud.datastore.spi.v1.HttpDatastoreRpc.translate(HttpDatastoreRpc.java:113)
> [INFO] GCLOUD:    at
> com.google.cloud.datastore.spi.v1.HttpDatastoreRpc.lookup(HttpDatastoreRpc.java:163)
> [INFO] GCLOUD:    at
> com.google.cloud.datastore.DatastoreImpl$3.call(DatastoreImpl.java:392)
> [INFO] GCLOUD:    at
> com.google.cloud.datastore.DatastoreImpl$3.call(DatastoreImpl.java:389)
> [INFO] GCLOUD:    at
> com.google.api.gax.retrying.DirectRetryingExecutor.submit(DirectRetryingExecutor.java:105)
> [INFO] GCLOUD:    at
> com.google.cloud.RetryHelper.run(RetryHelper.java:76) [INFO

The service account that I am using has the following permissions

• Cloud Datastore Owner
• Cloud Datastore User
• Editor

Any help in fixing this is greatly appreciated.

Answer 1

The default App Engine Standard Service Account is:

gcloud iam service-accounts list | grep appspot.gserviceaccount.com
App Engine default service account   your-project@appspot.gserviceaccount.com 

This service account has already the Editor Role, and your app has all the permissions required to read and write to Datastore mode and Firestore databases in your Google Cloud project.

Therefore you do not need to create a key.json file, and initilalize your credentials from this file.

For App Engine Standard

If your application runs on App Engine standard environment, you can use the App Engine App Identity API to obtain credentials.

After you set up a service account, ADC can implicitly find your credentials without any need to change your code, as described in the section above . If you want to specifically use App Engine credentials, you can explicitly do so, as shown in the following code example.

EDIT

If your code runs on Firebase App and not App Engine Standard, I think you should not use the default App Engine Service Account. You should create a new service account with Editor role and generate the key.json file.