Connection requirements
The following are required for Cloud Firestore with MongoDB compatibility clients:
- Drivers must connect in
load balancedmode. This prevents the drivers from trying to understand the exact server topology they are connecting to. - Drivers must connect with SSL enabled.
- Drivers must disable retryable writes. Cloud Firestore with MongoDB compatibility doesn't support retryable writes. You don't need to disable retryable reads as they are supported.
Retrieve the connection string
The database connection string depends on the UID of the database, the location of database, and the authentication mechanism. The following instructions describe how the connection string is formed.
The exact connection string depends on the authentication mechanism, but the base connection string uses the following format:
mongodb : // UID . LOCATION . firestore . goog : 443 / DATABASE_ID ? loadBalanced = true & tls = true & retryWrites = false
You can obtain the base connection string in one of the following ways:
Firebase console
-
In the Firebase console, go to the Firestore Database page.
- Click the database that you want to authenticate.
- In the Explorer panel, click View more .
- Select Connect using MongoDB tools .
- Copy the connection string.
gcloud
Use gcloud firestore database describe
to retrieve the UID and location
information:
gcloud firestore databases describe \ --database= DATABASE_ID \ --format='yaml(locationId, uid)'
Replace DATABASE_ID with the database ID.
The output includes the location and UID of the database. Use this information to construct the base connection string.
Use the base connection string and one of the following methods to authenticate and connect to your database:
- Username and password (SCRAM)
- Compute Engine service account
- Cloud Run service account
- Google Auth Library
Connect with Username and password (SCRAM)
Follow these steps to create a user credential for your database and connect to your database.
Before you begin
To get the permissions that you need to create a user, ask your administrator to grant you the userCredsAdmin (roles/datastore.userCredsAdmin
) IAM role on your
database. For more information about granting roles, see Manage access to projects, folders, and organizations
. You might also be able to get the required permissions through custom roles or other predefined roles .
Create a user and connect to a database
To create a user for your Cloud Firestore with MongoDB compatibility database, use one of the following method:
Google Cloud console
-
In the Google Cloud console, go to the Databases page.
- Select a database from the list of databases.
- In the navigation menu, click Auth .
- Click Add User .
- Enter a Username .
- Select a role for the new user.
- Click Add
.
The new user's password will be displayed in the confirmation dialog.
gcloud CLI
- To authenticate with SCRAM,
you must first create a user credential. Use the
gcloud firestore user-credscommand:gcloud firestore user-creds create USERNAME --database= DATABASE_ID
- USERNAME : the username to create.
- DATABASE_ID : the database ID.
The output of this command includes the user's password.
The output resembles the following:
name : projects / PROJECT_NAME /databases/ DATABASE_ID /userCreds/ USERNAME resourceIdentity : principal : principal :// firestore . googleapis . com /projects/ PROJECT_NUMBER /name/databases/ DATABASE_ID /userCreds/ USERNAME securePassword : PASSWORD
-
By default, this new user credential does not have any permissions. For read and write access to the database, add the
roles/datastore.userrole for this specific database:gcloud projects add-iam-policy-binding PROJECT_NAME \ --member='principal://firestore.googleapis.com/projects/ PROJECT_NUMBER /name/databases/ DATABASE_ID /userCreds/ USERNAME ' \ --role=roles/datastore.user \ --condition='expression=resource.name == "projects/ PROJECT_NAME /databases/ DATABASE_ID ",title=" CONDITION_TITLE "'
- PROJECT_NAME : the name of your project.
- PROJECT_NUMBER : the project number .
- DATABASE_ID : the database ID.
- USERNAME : the username you previously created.
- CONDITION_TITLE : a title for this condition. This condition restricts access to only this database .
Java
This section provides a code example for creating user credentials and configuring the IAM policy using Java administrative client libraries. The sample uses the Firestore Admin Client library for creating a username and password, and the Google Cloud Resource Manager library for configuring IAM.
For Maven builds, you can use the following coordinates:
com . google . cloud : google - cloud - firestore - admin : 3.33.1 com . google . cloud : google - cloud - resourcemanager : 1.76.0
Provision user credentials and an IAM policy:
import com.google.cloud.firestore.v1.FirestoreAdminClient ; import com.google.cloud.resourcemanager.v3.ProjectName ; import com.google.cloud.resourcemanager.v3.ProjectsClient ; import com.google.firestore.admin.v1.CreateUserCredsRequest ; import com.google.firestore.admin.v1.GetUserCredsRequest ; import com.google.firestore.admin.v1.UserCreds ; import com.google.iam.v1.Binding ; import com.google.iam.v1.GetIamPolicyRequest ; import com.google.iam.v1.GetPolicyOptions ; import com.google.iam.v1.Policy ; import com.google.iam.v1.SetIamPolicyRequest ; import com.google.protobuf.FieldMask ; import com.google.type.Expr ; public class FirestoreUserCredsExample { /** * Provision user credentials and configure an IAM policy to allow SCRAM authentication into the * specified Firestore with Mongo Compatibility database. */ private static void provisionFirestoreUserCredsAndIAM ( String projectId , String databaseId , String userName ) throws Exception { UserCreds userCreds = createUserCreds ( projectId , databaseId , userName ); // Note the password returned in the UserCreds proto - it cannot be retrieved again // after the initial call to the createUserCreds API. System . out . printf ( "Created credentials for username: %s:\nIAM principal: %s\nPassword: [%s]\n" , userName , userCreds . getResourceIdentity (). getPrincipal (), userCreds . getSecurePassword ()); // Provision an IAM binding for the principal associated with these user credentials. updateIamPolicyForUserCreds ( projectId , databaseId , userName , userCreds ); // Emit the password again. System . out . printf ( "Successfully configured IAM policy for database: %s, username: %s\n" , databaseId , userName ); System . out . printf ( "Please make a note of the password: [%s]\n" , userCreds . getSecurePassword ()); } /** Provision new user credentials using the FirestoreAdminClient. */ private static UserCreds createUserCreds ( String projectId , String databaseId , String userName ) throws Exception { FirestoreAdminClient firestoreAdminClient = FirestoreAdminClient . create (); return firestoreAdminClient . createUserCreds ( CreateUserCredsRequest . newBuilder () . setParent ( String . format ( "projects/%s/databases/%s" , projectId , databaseId )) . setUserCredsId ( userName ) . build ()); } /** Update the IAM policy using the Resource Manager ProjectsClient. */ private static void updateIamPolicyForUserCreds ( String projectId , String databaseId , String userName , UserCreds userCreds ) throws Exception { try ( ProjectsClient projectsClient = ProjectsClient . create ()) { ProjectName projectName = ProjectName . of ( projectId ); // Get the current IAM policy. Policy currentPolicy = projectsClient . getIamPolicy ( GetIamPolicyRequest . newBuilder () . setResource ( projectName . toString ()) . setOptions ( GetPolicyOptions . newBuilder (). setRequestedPolicyVersion ( 3 ). build ()) . build ()); String role = "roles/datastore.user" ; String title = String . format ( "Conditional IAM binding for %s" , userName ); String expression = String . format ( "resource.name == \"projects/%s/databases/%s\"" , projectId , databaseId ); // Construct an updated IAM policy with an additional binding for the user credentials. Policy . Builder policyBuilder = currentPolicy . toBuilder (); Binding newBinding = Binding . newBuilder () . setRole ( role ) . setCondition ( Expr . newBuilder (). setTitle ( title ). setExpression ( expression ). build ()) . addMembers ( userCreds . getResourceIdentity (). getPrincipal ()) . build (); policyBuilder . addBindings ( newBinding ); // Update the policy SetIamPolicyRequest request = SetIamPolicyRequest . newBuilder () . setResource ( projectName . toString ()) . setPolicy ( policyBuilder . build ()) . setUpdateMask ( FieldMask . newBuilder (). addPaths ( "bindings" ). addPaths ( "etag" ). build ()) . build (); System . out . println ( request ); Policy updatedPolicy = projectsClient . setIamPolicy ( request ); System . out . println ( "Policy updated successfully: " + updatedPolicy ); } } }
Python
This section provides a code example for creating user credentials and configuring the IAM policy using Python administrative client libraries. The sample uses the Google Cloud Firestore API client library library for creating a username and password, and the Google Cloud Iam API client library and the Google Cloud Resource Manager API client library for configuring IAM.
The required Python libraries can be installed with the pip tool:
pip install google - cloud - iam pip install google - cloud - firestore pip install google - cloud - resource - manager
Provision user credentials and an IAM policy:
from google.cloud import resourcemanager_v3 from google.cloud.firestore_admin_v1 import FirestoreAdminClient from google.cloud.firestore_admin_v1 import types from google.iam.v1 import iam_policy_pb2 from google.iam.v1 import policy_pb2 from google.type import expr_pb2 def create_user_creds ( project_id : str , database_id : str , user_name : str ): """Provision new user credentials using the FirestoreAdminClient.""" client = FirestoreAdminClient () request = types . CreateUserCredsRequest ( parent = f 'projects/ { project_id } /databases/ { database_id } ' , user_creds_id = user_name , ) response = client . create_user_creds ( request ) return response def update_iam_policy_for_user_creds ( project_id : str , database_id : str , user_name : str , user_creds ): """Update the IAM policy using the Resource Manager ProjectsClient.""" client = resourcemanager_v3 . ProjectsClient () request = iam_policy_pb2 . GetIamPolicyRequest () request . resource = f 'projects/ { project_id } ' request . options . requested_policy_version = 3 # Get the current IAM policy current_policy = client . get_iam_policy ( request ) # Construct an updated IAM policy with an additional binding # for the user credentials. updated_policy = policy_pb2 . Policy () binding = policy_pb2 . Binding () iam_condition = expr_pb2 . Expr () iam_condition . title = f 'Conditional IAM binding for { user_name } ' iam_condition . expression = ( f 'resource.name == "projects/ { project_id } /databases/ { database_id } "' ) binding . role = 'roles/datastore.user' binding . condition . CopyFrom ( iam_condition ) binding . members . append ( user_creds . resource_identity . principal ) updated_policy . bindings . append ( binding ) # Update the policy updated_policy . MergeFrom ( current_policy ) set_policy_request = iam_policy_pb2 . SetIamPolicyRequest () set_policy_request . resource = f 'projects/ { project_id } ' set_policy_request . policy . CopyFrom ( updated_policy ) final_policy = client . set_iam_policy ( set_policy_request ) print ( f 'Policy updated successfully { final_policy } ' ) def provision_firestore_user_creds_and_iam ( project_id : str , database_id : str , user_name : str ): """Provision user credentials and configure an IAM policy.""" user_creds = create_user_creds ( project_id , database_id , user_name ) # Note the password returned in the UserCreds proto - it cannot be # retrieved again after the initial call to the create_user_creds API. print ( f 'Created credentials for username: { user_name } ' ) print ( f 'IAM principal: { user_creds . resource_identity . principal } ' ) print ( f 'Password: [ { user_creds . secure_password } ]' ) # Provision an IAM binding for the principal associated with # these user credentials. update_iam_policy_for_user_creds ( project_id , database_id , user_name , user_creds ) # Emit the password again print ( f 'Successfully configured IAM policy for database: { database_id } ,' f ' username: { user_name } ' ) print ( f 'Please make a note of the password: [ { user_creds . secure_password } ]' )
Use the following connection string to connect to your database with SCRAM:
mongodb : // USERNAME : PASSWORD @ UID . LOCATION . firestore . goog : 443 / DATABASE_ID ? loadBalanced = true & authMechanism = SCRAM - SHA - 256 & tls = true & retryWrites = false
Replace the following:
- USERNAME : the username.
- PASSWORD : the password you generated for this user.
- UID : the UID of the database. For example: f116f93a-519c-208a-9a72-3ef6c9a1f081
- LOCATION : the location of the database.
- DATABASE_ID : the database ID.
Connect with the Google Auth Library
The following code sample registers an OIDC callback handler uses the Google Cloud standard OAuth library .
This library lets you use a number of different types of authentication (Application Default Credentials, Workload Identity Federation).
This requires adding the auth library as a dependency :
// Maven
<dependency>
<groupId>com.google.auth</groupId>
<artifactId>google-auth-library-oauth2-http</artifactId>
<version>1.19.0</version>
</dependency>
// Gradle
implementation 'com.google.auth:google-auth-library-oauth2-http:1.19.0'
The following code sample demonstrates how to connect:
val db = MongoClients . create ( clientSettings ( " DATABASE_UID " , " LOCATION " ). build () ). getDatabase ( " DATABASE_ID " ) /** * Creates a connection to a Firestore with MongoDB Compatibility database. * @param databaseUid The uid of the database to connect to as a string. For example: f116f93a-519c-208a-9a72-3ef6c9a1f081 * @param locationId The location of the database to connect to, for example: nam5, us-central1, us-east4 etc... * @param environment Determines whether to try and fetch an authentication credential from the * Compute Engine VM metadata service or whether to call gcloud. */ private static MongoClientSettings . Builder clientSettings ( String databaseUid : String String locationId : String ): MongoClientSettings . Builder { MongoCredential credential = MongoCredential . createOidcCredential ( null ) . withMechanismProperty ( MongoCredential . OIDC_CALLBACK_KEY , new MongoCredential . OidcCallback () { @Override MongoCredential . OidcCallbackResult onRequest ( MongoCredential . OidcCallbackContext context ) { // Customize this credential builder for additional credential types. GoogleCredentials credentials = GoogleCredentials . getApplicationDefault (); return new MongoCredential . OidcCallbackResult ( credentials . getAccessToken (). getTokenValue (), Duration . between ( Instant . now (), credentials . getAccessToken (). getExpirationTime (). toInstant ())); } }, ); return MongoClientSettings . builder () . hosts ( listOf ( ServerAddress ( "$databaseUid.$locationId.firestore.goog" , 443 ))) . credential ( credential ) . applyToClusterSettings ( builder -> builder . mode ( ClusterConnectionMode . LOAD_BALANCED )) ). applyToSslSettings ( ssl -> ssl . enabled ( true )). retryWrites ( false ); }
Replace the following:
- DATABASE_UID : the UID of the database. For example: f116f93a-519c-208a-9a72-3ef6c9a1f081
- LOCATION : the location of your database.
- DATABASE_ID the database ID.
Connect from a Google Cloud compute environment
This section describes connecting to Cloud Firestore with MongoDB compatibility from a Google Cloud compute environment, such as Compute Engine or a Cloud Run service or job.
Connect from a Compute Engine VM
You can authenticate and connect to your database using a Compute Engine service account. To do this, create an IAM policy for the Google Cloud project that contains your database.
Before you begin
Configure a user-managed service account for your VM:
- To configure service account during VM creation, see Create a VM that uses a user-managed service account .
- To configure service account on an existing VM, see Change the attached service account .
See the instructions in the Configure credentials sections to complete the IAM policy configuration for your Compute Engine service account.
Connect from Cloud Run
You can authenticate and connect to your database using a Cloud Run service account. To do this, create an IAM policy for the Google Cloud project that contains your database.
Before you begin
- To configure the service account for Cloud Run , see Configure service identity
- To determine the service account that is already associated with your Cloud Run service, see gcloud run services describe
See the instructions in the Configure credentials sections to complete the IAM policy configuration for your Cloud Run service account.
Configure credentials
To grant the service account the roles/datastore.user
role for read and write
to Cloud Firestore
, run the following command:
gcloud projects add-iam-policy-binding PROJECT_NAME --member="serviceAccount: SERVICE_ACCOUNT_EMAIL " --role=roles/datastore.user
Replace the following:
- PROJECT_NAME : the name of your project.
- SERVICE_ACCOUNT_EMAIL : the email address for the service account that you created.
Construct the connection string
Use the following format to construct the connection string:
mongodb : // DATABASE_UID . LOCATION . firestore . goog : 443 / DATABASE_ID ? loadBalanced = true & tls = true & retryWrites = false & authMechanism = MONGODB - OIDC & authMechanismProperties = ENVIRONMENT : gcp , TOKEN_RESOURCE : FIRESTORE
Replace the following:
- DATABASE_UID : the UID of the database. For example: f116f93a-519c-208a-9a72-3ef6c9a1f081
- LOCATION : the location of your database.
- DATABASE_ID the database ID.
For more information on retrieving the UID and location, see Retrieve the connection string .
Connect with a temporary access token
You can use a temporary Google Cloud
access token to run diagnostic tools
such as mongosh
. You can use gcloud auth print-access-token
to authenticate with a short-term access token. This token is valid for one hour.
For example, use the following command to connect to your database with mongosh
:
mongosh -- tls \ -- username access_token -- password $ ( gcloud auth print - access - token ) \ 'mongodb:// UID . LOCATION .firestore.goog:443/ DATABASE_ID ?loadBalanced=true&authMechanism=PLAIN&authSource=$external&retryWrites=false'
Replace the following:
- DATABASE_UID : the UID of the database. For example: f116f93a-519c-208a-9a72-3ef6c9a1f081
- LOCATION : the database location
- DATABASE_ID : a database ID
