Security for Server Client Libraries

When you use the server client libraries for Cloud Firestore, you can manage access to your resources with Identity and Access Management (IAM). IAM lets you give more granular access to specific Google Cloud Platform resources and prevents unwanted access to other resources. This page describes the IAM permissions and roles for Cloud Firestore. For a detailed description of Cloud IAM, read the IAM documentation.

IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

IAM lets you control who (user) has what (role) permission for which resources by setting IAM policies. IAM policies grant one or more roles to a user, giving the user certain permissions. For example, you can grant the datastore.indexAdmin role to a user, which allows the user to create, modify, delete, list, or view indexes.

Permissions and roles

This section summarizes the permissions and roles that Cloud Firestore supports.

Required permissions

The following table lists the permissions that the caller must have to perform each action:

Method Required permissions
projects.databases.documents
batchGet datastore.entities.get
beginTransaction datastore.databases.get
commit update or transform with exists precondition set to false datastore.entities.create
commit update or transform with exists precondition set to true datastore.entities.update
commit update or transform with no precondition datastore.entities.create
datastore.entities.update
commit delete datastore.entities.delete
createDocument datastore.entities.create
delete datastore.entities.delete
get datastore.entities.get
list datastore.entities.get
datastore.entities.list
listCollectionIds datastore.entities.list
patch datastore.entities.update
rollback datastore.databases.get
runQuery datastore.entities.get
datastore.entities.list
write update or transform with exists precondition set to false datastore.entities.create
write update or transform with exists precondition set to true datastore.entities.update
write update or transform with no precondition datastore.entities.create
datastore.entities.update
write delete datastore.entities.delete
projects.databases.indexes
create datastore.indexes.create
delete datastore.indexes.delete
get datastore.indexes.get
list datastore.indexes.list

Roles

With IAM, every API method in Cloud Firestore requires that the account making the API request has the appropriate permissions to use the resource. Permissions are granted by setting policies that grant roles to a user, group, or service account. In addition to the primitive roles, owner, editor, and viewer, you can grant Cloud Firestore roles to the users of your project.

The following table lists the Cloud Firestore IAM roles. You can grant multiple roles to a user, group, or service account.

Role Permissions Description
roles/datastore.owner appengine.applications.get

datastore.*

resourcemanager.projects.get
resourcemanager.projects.list
Full access to Cloud Firestore.
roles/datastore.user appengine.applications.get

datastore.databases.get
datastore.entities.*
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.list

resourcemanager.projects.get
resourcemanager.projects.list
Read/write access to data in a Cloud Firestore database. Intended for application developers and service accounts.
roles/datastore.viewer appengine.applications.get

datastore.databases.get
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.list
datastore.statistics.get
datastore.statistics.list

resourcemanager.projects.get
resourcemanager.projects.list
Read access to all Cloud Firestore resources.
roles/datastore.indexAdmin appengine.applications.get

datastore.indexes.*

resourcemanager.projects.get
resourcemanager.projects.list
Full access to manage index definitions.

Permissions

The following table lists the permissions that Cloud Firestore supports.

Database permission name Description
datastore.databases.create Create a database.
datastore.databases.delete Delete a database.
datastore.databases.get Begin or roll back a transaction.
Read metadata from a database.
datastore.databases.getIamPolicy Read the IAM policy for a database.
datastore.databases.list List the databases in a project.
datastore.databases.setIamPolicy Update the IAM policy for a database.
datastore.databases.update Update a database.
Entity permission name Description
datastore.entities.create Create a document.
datastore.entities.delete Delete a document.
datastore.entities.get Read a document.
datastore.entities.list List the names of documents in a project.
(datastore.entities.get is required to access the document data.)
datastore.entities.update Update a document.
Index permission name Description
datastore.indexes.create Create an index.
datastore.indexes.delete Delete an index.
datastore.indexes.get Read metadata from an index.
datastore.indexes.list List the indexes in a project.
datastore.indexes.update Update an index.
Project permission name Description
resourcemanager.projects.get Browse resources in the project.
resourcemanager.projects.list List owned projects.

Role change latency

Cloud Firestore caches IAM permissions for 5 minutes, so it takes up to 5 minutes for a role change to become effective.

Managing Cloud Firestore IAM

You can get and set IAM policies using the Google API Console, the IAM API, or the gcloud command-line tool. See Granting, Changing, and Revoking Access to Project Members for details.

What's next

Send feedback about...

Need help? Visit our support page.