When you use the server client libraries for Cloud Firestore, you can manage access to your resources with Identity and Access Management (IAM). IAM lets you give more granular access to specific Google Cloud Platform resources and prevents unwanted access to other resources. This page describes the IAM permissions and roles for Cloud Firestore. For a detailed description of Cloud IAM, read the IAM documentation.
IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.
IAM lets you control who (user) has what (role) permission for which
resources by setting IAM policies. IAM policies grant one or more roles to a
user, giving the user certain permissions. For example, you can grant the
datastore.indexAdmin role to a user, which allows the user to create, modify,
delete, list, or view indexes.
Permissions and roles
This section summarizes the permissions and roles that Cloud Firestore supports.
Required permissions
The following table lists the permissions that the caller must have to perform each action:
| Method | Required permissions |
|---|---|
projects.databases.documents |
|
batchGet |
datastore.entities.get |
beginTransaction |
datastore.databases.get |
commit update or transform with exists precondition set to false |
datastore.entities.create |
commit update or transform with exists precondition set to true
| datastore.entities.update |
commit update or transform with no precondition
| datastore.entities.create |
commit delete |
datastore.entities.delete |
createDocument |
datastore.entities.create |
delete |
datastore.entities.delete |
get |
datastore.entities.get |
list |
datastore.entities.getdatastore.entities.list |
listCollectionIds |
datastore.entities.list |
patch |
datastore.entities.update |
rollback |
datastore.databases.get |
runQuery |
datastore.entities.get |
write update or transform with exists precondition set to false |
datastore.entities.create |
write update or transform with exists precondition set to true |
datastore.entities.update |
write update or transform with no precondition |
datastore.entities.create |
write delete
| datastore.entities.delete |
projects.databases.indexes |
|
create |
datastore.indexes.create |
delete |
datastore.indexes.delete |
get |
datastore.indexes.get |
list |
datastore.indexes.list |
Roles
With IAM, every API method in Cloud Firestore requires that the account making the API request has the appropriate permissions to use the resource. Permissions are granted by setting policies that grant roles to a user, group, or service account. In addition to the primitive roles, owner, editor, and viewer, you can grant Cloud Firestore roles to the users of your project.
The following table lists the Cloud Firestore IAM roles. You can grant multiple roles to a user, group, or service account.
| Role | Permissions | Description |
|---|---|---|
roles/datastore.owner |
appengine.applications.getdatastore.*resourcemanager.projects.getresourcemanager.projects.list |
Full access to Cloud Firestore. |
roles/datastore.user |
appengine.applications.getdatastore.databases.getdatastore.entities.*datastore.indexes.listdatastore.namespaces.getdatastore.namespaces.listresourcemanager.projects.getresourcemanager.projects.list |
Read/write access to data in a Cloud Firestore database. Intended for application developers and service accounts. |
roles/datastore.viewer |
appengine.applications.getdatastore.databases.getdatastore.entities.getdatastore.entities.listdatastore.indexes.getdatastore.indexes.listdatastore.namespaces.getdatastore.namespaces.listdatastore.statistics.getdatastore.statistics.listresourcemanager.projects.getresourcemanager.projects.list |
Read access to all Cloud Firestore resources. |
roles/datastore.indexAdmin |
appengine.applications.getdatastore.indexes.*resourcemanager.projects.getresourcemanager.projects.list |
Full access to manage index definitions. |
Permissions
The following table lists the permissions that Cloud Firestore supports.
| Database permission name | Description | |
|---|---|---|
datastore.databases.get |
Begin or roll back a transaction. Read metadata from a database. |
|
| Entity permission name | Description | |
datastore.entities.create |
Create a document. | |
datastore.entities.delete |
Delete a document. | |
datastore.entities.get |
Read a document. | |
datastore.entities.list |
List the names of documents in a project. ( datastore.entities.get is required to access the document data.) |
|
datastore.entities.update |
Update a document. | |
| Index permission name | Description | |
datastore.indexes.create |
Create an index. | |
datastore.indexes.delete |
Delete an index. | |
datastore.indexes.get |
Read metadata from an index. | |
datastore.indexes.list |
List the indexes in a project. | |
datastore.indexes.update |
Update an index. | |
| Project permission name | Description | |
resourcemanager.projects.get |
Browse resources in the project. | |
resourcemanager.projects.list |
List owned projects. |
Role change latency
Cloud Firestore caches IAM permissions for 5 minutes, so it takes up to 5 minutes for a role change to become effective.
Managing Cloud Firestore IAM
You can get and set IAM policies using the Google Cloud Console, the IAM API, or the
gcloud command-line tool. See Granting, Changing, and Revoking Access to
Project Members for details.
What's next
- Learn more about IAM.
- Grant IAM roles.