Google Cloud offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the Firestore in Datastore mode IAM roles. For a detailed description of IAM, read the IAM documentation.
IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.
IAM lets you control who (users) has what (roles) permission to
which resources by setting IAM policies. IAM policies grant
specific role(s) to a user, giving the user certain
permissions. For example, you can grant the datastore.indexAdmin role to a
user and the user can create, modify, delete, list, or view indexes.
Permissions and Roles
This section summarizes the permissions and roles Firestore in Datastore mode supports.
Permissions
The following table lists the permissions that Firestore in Datastore mode supports.
| Database permission name | Description | |
|---|---|---|
datastore.databases.export |
Export entities from a database. | |
datastore.databases.get |
Begin or rollback a transaction. Commit with empty mutations. |
|
datastore.databases.import |
Import entities into a database. | |
datastore.databases.getMetadata |
Read metadata from a database. | |
datastore.databases.list |
List databases in a project. | |
datastore.databases.create |
Create a database. | |
datastore.databases.update |
Update a database. | |
datastore.databases.delete |
Delete a database. | |
datastore.databases.createTagBinding |
Create a tag binding for a database. | |
datastore.databases.deleteTagBinding |
Delete a tag binding for a database. | |
datastore.databases.listTagBindings |
List all tag bindings for a database. | |
datastore.databases.listEffectiveTagBindings |
List effective tag bindings for a database. | |
| Entity permission name | Description | |
datastore.entities.allocateIds |
Allocate IDs for keys with an incomplete key path. | |
datastore.entities.create |
Create an entity. | |
datastore.entities.delete |
Delete an entity. | |
datastore.entities.get |
Read an entity. | |
datastore.entities.list |
List the keys of entities in a project. ( datastore.entities.get is required to access the entity data.) |
|
datastore.entities.update |
Update an entity. | |
| Index permission name | Description | |
datastore.indexes.create |
Create an index. | |
datastore.indexes.delete |
Delete an index. | |
datastore.indexes.get |
Read metadata from an index. | |
datastore.indexes.list |
List the indexes in a project. | |
datastore.indexes.update |
Update an index. | |
| Namespace permission name | Description | |
datastore.namespaces.get |
Retrieve metadata from a namespace. | |
datastore.namespaces.list |
List the namespaces in a project. | |
| Operation permission name | Description | |
datastore.operations.cancel |
Cancel a long-running operation. | |
datastore.operations.delete |
Delete a long-running operation. | |
datastore.operations.get |
Gets the latest state of a long-running operation. | |
datastore.operations.list |
List long-running operations. | |
| Project permission name | Description | |
resourcemanager.projects.get |
Browse resources in the project. | |
resourcemanager.projects.list |
List owned projects. | |
| Statistics permission name | Description | |
datastore.statistics.get |
Retrieve statistics entities. | |
datastore.statistics.list |
List the keys of statistics entities. ( datastore.statistics.get is required to access the statistics entity data.) |
|
| App Engine permission name | Description | |
appengine.applications.get |
Read-only access to all App Engine application configuration and settings. | |
| Location permission name | Description | |
datastore.locations.get |
Get details about a database location. Required to create a new database. | |
datastore.locations.list |
List available database locations. Required to create a new database. | |
| Key Visualizer permission name | Description | |
datastore.keyVisualizerScans.get |
Get details about Key Visualizer scans. | |
datastore.keyVisualizerScans.list |
List available Key Visualizer scans. | |
| Backup Schedule permission name | Description | |
datastore.backupSchedules.get |
Get details about a backup schedule. | |
datastore.backupSchedules.list |
List available backup schedules. | |
datastore.backupSchedules.create |
Create a backup schedule. | |
datastore.backupSchedules.update |
Update a backup schedule. | |
datastore.backupSchedules.delete |
Delete a backup schedule. | |
| Backup permission name | Description | |
datastore.backups.get |
Get details about a backup. | |
datastore.backups.list |
List available backups. | |
datastore.backups.delete |
Delete a backup. | |
datastore.backups.restoreDatabase |
Restore a database from a backup. |
Predefined roles
With IAM, every Datastore API method requires that the account making the API request has the appropriate permissions to use the resource. Permissions are granted by setting policies that grant roles to a user, group, or service account. In addition to the basic roles, Owner, Editor, and Viewer, you can grant Firestore in Datastore mode roles to the users of your project.
The following table lists the Firestore in Datastore mode IAM roles. You can grant multiple roles to a user, group, or service account.
| Role | Permissions | Description |
|---|---|---|
roles/datastore.owner |
appengine.applications.getdatastore.*resourcemanager.projects.getresourcemanager.projects.list |
Full access to the database instance. For Datastore Admin access, grant the appengine.appAdmin role to the principal. |
roles/datastore.user |
appengine.applications.getdatastore.databases.getdatastore.databases.getMetadatadatastore.databases.listdatastore.entities.*datastore.indexes.listdatastore.namespaces.getdatastore.namespaces.listdatastore.statistics.getdatastore.statistics.listresourcemanager.projects.getresourcemanager.projects.list |
Read/write access to data in a Datastore mode database. Intended for application developers and service accounts. |
roles/datastore.viewer |
appengine.applications.getdatastore.databases.getdatastore.databases.getMetadatadatastore.databases.listdatastore.entities.getdatastore.entities.listdatastore.indexes.getdatastore.indexes.listdatastore.namespaces.getdatastore.namespaces.listdatastore.statistics.getdatastore.statistics.listresourcemanager.projects.getresourcemanager.projects.list |
Read access to all Datastore mode database resources. |
roles/datastore.importExportAdmin |
appengine.applications.getdatastore.databases.exportdatastore.databases.getMetadatadatastore.databases.importdatastore.operations.canceldatastore.operations.getdatastore.operations.listresourcemanager.projects.getresourcemanager.projects.list |
Full access to manage imports and exports. |
roles/datastore.indexAdmin |
appengine.applications.getdatastore.databases.getMetadatadatastore.indexes.*resourcemanager.projects.getresourcemanager.projects.list |
Full access to manage index definitions. |
roles/datastore.keyVisualizerViewer |
datastore.databases.getMetadatadatastore.keyVisualizerScans.getdatastore.keyVisualizerScans.listresourcemanager.projects.getresourcemanager.projects.list |
Full access to Key Visualizer scans. |
roles/datastore.backupSchedulesViewer |
datastore.backupSchedules.getdatastore.backupSchedules.list |
Read access to backup schedules in a Datastore mode database. |
roles/datastore.backupSchedulesAdmin |
datastore.backupSchedules.getdatastore.backupSchedules.listdatastore.backupSchedules.createdatastore.backupSchedules.updatedatastore.backupSchedules.deletedatastore.databases.listdatastore.databases.getMetadata |
Full access to backup schedules in a Datastore mode database. |
roles/datastore.backupsViewer |
datastore.backups.getdatastore.backups.list |
Read access to backup information in a Datastore mode location. |
roles/datastore.backupsAdmin |
datastore.backups.getdatastore.backups.listdatastore.backups.delete |
Full access to backups in a Datastore mode location. |
roles/datastore.restoreAdmin |
datastore.backups.getdatastore.backups.listdatastore.backups.restoreDatabasedatastore.databases.listdatastore.databases.createdatastore.databases.getMetadatadatastore.operations.listdatastore.operations.get |
Ability to restore a Datastore mode backup into a new database. This role also gives the ability to create new databases, not necessarily by restoring from a backup. |
Custom roles
If the predefined roles do not address your business requirements, you can define your own custom roles with permissions that you specify:
Required Permissions for API methods
The following table lists the permissions that the caller must have to call each method:
| Method | Required Permission(s) |
|---|---|
allocateIds |
datastore.entities.allocateIds |
beginTransaction |
datastore.databases.get |
commit with empty mutations |
datastore.databases.get |
commit for an insert |
datastore.entities.create |
commit for an upsert |
datastore.entities.createdatastore.entities.update |
commit for an update |
datastore.entities.update |
commit for a delete |
datastore.entities.delete |
commit for a lookup |
datastore.entities.getFor a lookup related to metadata or statistics, see Required Permissions for Metadata and Statistics. |
commit for a query |
datastore.entities.listdatastore.entities.get (if the query is not a keys-only query)For a query related to metadata or statistics, see Required Permissions for Metadata and Statistics. |
lookup |
datastore.entities.getFor a lookup related to metadata or statistics, see Required Permissions for Metadata and Statistics. |
rollback |
datastore.databases.get |
runQuery |
datastore.entities.listdatastore.entities.get (if the query is not a keys-only query)For a query related to metadata or statistics, see Required Permissions for Metadata and Statistics. |
runQuery with a kindless query |
datastore.entities.getdatastore.entities.listdatastore.statistics.getdatastore.statistics.list |
Required Permissions for Metadata and Statistics
The following table lists permissions that the caller must have to call methods on Metadata and Statistics.
| Method | Required Permission(s) |
|---|---|
lookup of entities with kind names matching __Stat_*__ |
datastore.statistics.get |
runQuery using kinds with names matching __Stat_*__ |
datastore.statistics.getdatastore.statistics.list |
runQuery using the kind __namespace__ |
datastore.namespaces.getdatastore.namespaces.list |
Required roles to create a Datastore mode database instance
To create a new Datastore mode database instance, you require either the Owner role or the Datastore Owner role.
Datastore mode databases requires an active App Engine application.
If the project doesn't have an application, Firestore in Datastore mode creates one
for you. In that case, you require the
appengine.applications.create permission from the Owner
role or from an
IAM custom role containing
the permission.
Role change latency
Firestore in Datastore mode caches IAM permissions for 5 minutes, so it will take up to 5 minutes for a role change to become effective.
Managing IAM
You can get and set IAM policies using the Google Cloud console, the IAM methods, or the Google Cloud CLI.
- For the Google Cloud console, see Access control via the Google Cloud console.
- For the IAM methods, see Access control via the API.
- For the gcloud CLI, see Access control via the gcloud tool.
Configure conditional access permissions
You can use IAM Conditions to define and enforce conditional access control.
For example, the following condition assigns a principal the datastore.user
role up until a specified date:
{
"role": "roles/datastore.user",
"members": [
"user:travis@example.com"
],
"condition": {
"title": "Expires_December_1_2023",
"description": "Expires on December 1, 2023",
"expression":
"request.time < timestamp('2023-12-01T00:00:00.000Z')"
}
}
To learn how to define IAM Conditions for temporary access, see Configure temporary access.
To learn how to configure IAM Conditions for access to one or more databases, see Configure database access conditions.
What's next
- Learn more about IAM.
- Grant IAM roles.