This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Trying to take a Firestore backup from one project and restore it into another...

Posted on 11-11-2022 08:14 AM
ipmcc
New Member
Reply posted on --/--/---- --:-- AM

Although it was no small feat, I have a Cloud Firestore database backing up using a Firebase cloud function, periodically, into a Cloud Storage Bucket. I then created another Firebase Project, activated Firestore on it, and activated Billing. I've added my account/principal to the new Firebase Project (it was already on the old Firebase Project).

Per this URL: https://cloud.google.com/datastore/docs/export-import-entities#permissions I have added "Datastore Owner" and "Datastore Import Export Admin" roles to my account on NewProject. But when I run:

`gcloud firestore import gs://bucket-in-old-project/backups/2022-11-11T14:38:34.810Z`it says: 

`ERROR: (gcloud.firestore.import) PERMISSION_DENIED: Service account does not have access to Google Cloud Storage file: /bucket-in-old-project/backups/2022-11-11T14:38:34.810Z.overall_export_metadata. See https://cloud.google.com/datastore/docs/export-import-entities#permissions for a list of permissions needed. Error details: service-573661466501@gcp-sa-firestore.iam.gserviceaccount.com does not have storage.buckets.get access to the Google Cloud Storage bucket. Permission 'storage.buckets.get' denied on resource (or it may not exist).`

OK, so I go over to OldProject and attempt to add the project default service account, `new-project@appspot.gserviceaccount.com`, to the bucket's permissions, and I get this error message: `Error: Email addresses and domains must be associated with an active Google Account, Google Workspace account, or Cloud Identity account.`

I'm literally copying this out of NewProject's GCP console, so I'm very confident that I'm getting the principal name correct. It doesn't seem to recognize it. Could this be related to public access prevention? I am using the same account, that has the same roles in both projects, and belong to the same organization, so it doesn't feel like "public access" to me, but maybe I'm wrong? I certainly don't want to open my database backups to the public.

What am I missing? How can one export a database from one project and re-import it into a database in another project? 

And just as a follow-on question: why is it SO unbelievably difficult to do backups and restores of Cloud Firestore databases? This is basic stuff that every database I've ever used in the past has had, right out of the box. The number of hoops I've had to jump through to even create the backup in the first place was truly stunning, and I've flushed an entire day fighting for the ability to restore. Not really inspiring to think about how a true DR situation would play out.

 

 

2 2 2,209
Topic Labels
2 REPLIES 2

Posted on --/--/---- --:-- AM
ipmcc
New Member
Reply posted on --/--/---- --:-- AM

I figured out a couple of problems that I was having:

  • I disabled "Prevent Public Access" on the bucket. Not sure if this was required, but...
  • "App Engine default service account": I had created a new project, but because I hadn't created an App Engine application, there was no "App Engine default service account" created, and that appears to be necessary.
  • It still didn't work after creating that and giving the default service account "Storage Admin" privileges on the bucket from the other project, but at least it was no longer saying: `Error: Email addresses and domains must be associated with an active Google Account, Google Workspace account, or Cloud Identity account.`
  • Then I tried `gcloud firestore import gs://bucket-in-old-project/backups/2022-11-11T14:38:34.810Z` as before, but now I was getting an error that said: `PERMISSION_DENIED: Service account does not have access to Google Cloud Storage file: /bucket-name/backups/2022-11-11T14:38:34.810Z/2022-11-11T14:38:34.810Z.overall_export_metadata. See https://cloud.google.com/datastore/docs/export-import-entities#permissions for a list of permissions needed. Error details: service-long-number@gcp-sa-firestore.iam.gserviceaccount.com does not have storage.buckets.get access to the Google Cloud Storage bucket. Permission 'storage.buckets.get' denied on resource (or it may not exist).`
  • Going back into Buckets and adding that address to permissions allowed the restore to work. 

I'm not sure how I would've been expected to know that `service-long-number@gcp-sa-firestore.iam.gserviceaccount.com` principal without seeing the error message, and that principal doesn't show up in either project's IAM screen, but it worked, so I guess that's progress, even though it's not understanding.

Ian

 

0 Likes

Posted on --/--/---- --:-- AM
fellipetav
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I struggled to import from one Firebase project's bucket to another. However, downloading it straight from one bucket through google CLI then uploading it onto the other bucket worked.
When you try to download some folder, it will prompt you with the command to be used in google CLI.

It'll be something like

 

$ gsutil -m cp -r \
  "gs://{bucket-name}/{folder-name}" \
  .

 

-> replace {xxxx} by your respective asset name.

Top Labels in this Space
Top Solution Authors
View all