Firestore Ruby: How to authenticate? (permission denied)

Question

I'm trying to access firestore from ruby. Everything's setup and working, except if I enforce read/write rules on documents. Permission denied.

Using the ruby firestore gem

Authenticated the client:

creds = Rails.application.credentials.firestore
Google::Cloud::Firestore.configure do |config|
  config.project_id = creds[:config][:projectId]
  config.credentials = creds[:service_account].to_h
  config.emulator_host = "localhost:8888" if Rails.env.development?
end


```rb

@client = Google::Cloud::Firestore.new
@client.col(collection_name).get

This will return permission denied. If I allow read/write on all documents, firestore returns the documents fine... so it's a firestore rules issue.

So, how do I authenticate a user using firestore ruby? I can do token creation in ruby firestore admin... but there's no api in firestore ruby to log them in (right?).

Can firestore ruby authenticate a user? If so how?

Any help appreciated.

Update:

The error is:

GRPC::PermissionDenied: 7:
false for 'list' @ L83. debug_error_string:{UNKNOWN:Error received from peer ipv4:127.0.0.1:8888 {created_time:"2022-11-18T17:44:53.265761-08:00", grpc_status:7, grpc_message:"\nfalse for \'list\' @ L83"}}

Answer 1

As @orangesoda previously posted in the comments, there's an emulator issue based on this Github link . When deployed in production, everything is working as intended.

Additionally, authentication for server libraries is managed through IAM. When using a service account, the service account must have the appropriate permissions/roles to access the Firestore database (and "bypass" the security rules).

This is only detailed in (what I think is the older) documentation.

Here is the list of permission/roles and their matching Firestore operations. This is also where most of the Ruby documentation is.