Solved: GCP - Firestore Collection & document create in de...

Rahul2023 · 10-03-2023 05:38 AM

Hello Techies,

I am new in GCP world. I have a quick question regarding GCP- Firestore.

I have 2 databases ("default" and "CustomDBName") in Firestore, I am using very simple python script to transfer JSON files, But unfortunately, collection and documents created in default database, not in expected database. I am sure, missing something here.

import json
import firebase_admin
from firebase_admin import credentials
from firebase_admin import firestore
cred = credentials.Certificate('GCP-Credentials_FireStoreLoader.json')

# This works but create collection within default database
firebase_admin.initialize_app(cred)

# Tried this, but same collection and documents created in default database
firebase_app = firebase_admin.initialize_app(name="edwdocuments", credential=cred, options=None)
db = firestore.client(firebase_app)

f = open(file.json)
data = json.load(f)
f.close()
db.collection("EDWDocs").add(data)

Thanks

Rahul

ms4446

The Firestore service in Google Cloud Platform (GCP) does not support multiple databases within a single project in the same way that some other databases do. Instead, each GCP project has one Firestore database.

To restrict a service account to a specific Firestore database, you would actually be restricting it to a specific GCP project. Each GCP project has one Firestore database. If you want to have multiple Firestore databases, you would typically create multiple GCP projects, each with its own Firestore database.

IAM conditions in Firestore do not currently support resource-level granularity like you've described. The condition you've mentioned (resource.name.startsWith("projects/YOUR_PROJECT_ID/databases/edwdocuments/")) is not valid for Firestore. Firestore does not currently support resource-level IAM conditions.

Here's what you can do:

Create a New GCP Project (if needed): If you want to have a separate Firestore database, you should create a new GCP project and initialize Firestore in that project.
Create a Service Account in the Desired Project: Create a service account in the project where you want to restrict access.
Assign Roles to the Service Account: Assign the necessary Firestore roles to the service account. For example, if you want the service account to have full access to Firestore, you can assign it the roles/datastore.owner role.
Use the Service Account's Credentials: When you initialize the Firestore client in your Python code, use the credentials of the service account you've created in the desired project. This will ensure that the client can only access the Firestore database in that project.

From the steps you've provided, it seems you've created a service account and granted it the datastore.owner role for the entire project. This means the service account has access to the Firestore database in that project. If you want to restrict the service account to a different Firestore database, you would need to create or choose a different GCP project and repeat the process there.

View solution in original post

ms4446

To create a collection in a custom database in Firestore using Python, you need to use the credentials associated with the project that contains the desired database. Each Firestore project has its own database, and to connect to a specific database, you need to initialize the Firestore client with the credentials for the associated project.

For example, the following code will create a collection called EDWDocs in the database associated with the project whose credentials are in 'GCP-Credentials_FireStoreLoader.json':

import json
import firebase_admin
from firebase_admin import credentials
from firebase_admin import firestore

# Initialize the Firestore client with the credentials for the desired project
cred = credentials.Certificate('GCP-Credentials_FireStoreLoader.json')
firebase_admin.initialize_app(cred)
db = firestore.client()

with open('file.json', 'r') as f:
data = json.load(f)

# Create the collection and add a document
db.collection("EDWDocs").add(data)

In your code, you are initializing the Firestore client using the credentials provided, but if those credentials are for the default database's project, then the data will be added to the default database. To fix the issue, ensure that you're using the correct credentials for the desired project (database).

Rahul2023

Hi ms4446,

Thanks for response. I can understand your answer, but unfortunately, not sure how to do the same (How to restrict a service account with a specific firestore database). FYI... I used below gcloud commands to create service account and firestore db. Please let me know, what I missed here.

Tried Service Account --> IAM Condition --> Condition Editor, but no luck

resource.name.startsWith("projects/deltalake-399011/buckets/edwdocuments/objects/")

Enable Cloud Build API: gcloud services enable firebase.googleapis.com
Create Service Account: gcloud iam service-accounts create FireStoreLoader --description="Upload file in firebase from python" --display-name="FireStoreLoader"
Grant IAM role to Service Account: gcloud projects add-iam-policy-binding dlpro --member="serviceAccount:FireStoreLoader@dlpro.iam.gserviceaccount.com" --role="roles/datastore.owner"
Create a service account key: gcloud iam service-accounts keys create "C:\01_Rahul\Credentials_FireStoreLoader.json" --iam-account=FireStoreLoader@dlpro.iam.gserviceaccount.com
Create FireStore Database: gcloud firestore databases create --database=edwdocuments --location=us-east1 --type=firestore-native

ms4446

The Firestore service in Google Cloud Platform (GCP) does not support multiple databases within a single project in the same way that some other databases do. Instead, each GCP project has one Firestore database.

To restrict a service account to a specific Firestore database, you would actually be restricting it to a specific GCP project. Each GCP project has one Firestore database. If you want to have multiple Firestore databases, you would typically create multiple GCP projects, each with its own Firestore database.

IAM conditions in Firestore do not currently support resource-level granularity like you've described. The condition you've mentioned (resource.name.startsWith("projects/YOUR_PROJECT_ID/databases/edwdocuments/")) is not valid for Firestore. Firestore does not currently support resource-level IAM conditions.

Here's what you can do:

Create a New GCP Project (if needed): If you want to have a separate Firestore database, you should create a new GCP project and initialize Firestore in that project.
Create a Service Account in the Desired Project: Create a service account in the project where you want to restrict access.
Assign Roles to the Service Account: Assign the necessary Firestore roles to the service account. For example, if you want the service account to have full access to Firestore, you can assign it the roles/datastore.owner role.
Use the Service Account's Credentials: When you initialize the Firestore client in your Python code, use the credentials of the service account you've created in the desired project. This will ensure that the client can only access the Firestore database in that project.

From the steps you've provided, it seems you've created a service account and granted it the datastore.owner role for the entire project. This means the service account has access to the Firestore database in that project. If you want to restrict the service account to a different Firestore database, you would need to create or choose a different GCP project and repeat the process there.

ALesmes

When do you think this feature will be released?

GCP - Firestore Collection & document create in default DB, not in expected DB