Google Cloud offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the Firestore in Datastore mode IAM roles. For a detailed description of IAM, read the IAM documentation .
IAM lets you adopt the security principle of least privilege , so you grant only the necessary access to your resources.
IAM lets you control who (users)has what (roles)permission to whichresources by setting IAM policies. IAM policies grant
specific role(s) to a user, giving the user certain
permissions. For example, you can grant the datastore.indexAdmin
role to a
user and the user can create, modify, delete, list, or view indexes.
Permissions and Roles
This section summarizes the permissions and roles Firestore in Datastore mode supports.
Permissions
The following table lists the permissions that Firestore in Datastore mode supports.
datastore.databases.export
datastore.databases.bulkDelete
datastore.databases.get
Commit with empty mutations.
datastore.databases.import
datastore.databases.getMetadata
datastore.databases.list
datastore.databases.create
datastore.databases.update
datastore.databases.delete
datastore.databases.clone
If your clone
request contains a tags
value, then the following additional permissions are required:
-
datastore.databases.createTagBinding
If you would like to verify whether the tag bindings are set successfully by listing the bindings, then the following additional permissions are required:
-
datastore.databases.listTagBindings -
datastore.databases.listEffectiveTags
datastore.databases.createTagBinding
datastore.databases.deleteTagBinding
datastore.databases.listTagBindings
datastore.databases.listEffectiveTagBindings
datastore.entities.allocateIds
datastore.entities.create
datastore.entities.delete
datastore.entities.get
datastore.entities.list
(
datastore.entities.get
is required to access the entity data.)datastore.entities.update
datastore.indexes.create
datastore.indexes.delete
datastore.indexes.get
datastore.indexes.list
datastore.indexes.update
datastore.namespaces.get
datastore.namespaces.list
datastore.operations.cancel
datastore.operations.delete
datastore.operations.get
datastore.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
datastore.statistics.get
datastore.statistics.list
(
datastore.statistics.get
is required to access the statistics entity data.)appengine.applications.get
datastore.locations.get
datastore.locations.list
datastore.keyVisualizerScans.get
datastore.keyVisualizerScans.list
datastore.backupSchedules.get
datastore.backupSchedules.list
datastore.backupSchedules.create
datastore.backupSchedules.update
datastore.backupSchedules.delete
datastore.backups.get
datastore.backups.list
datastore.backups.delete
datastore.backups.restoreDatabase
datastore.insights.get
Predefined roles
With IAM, every Datastore API method requires that the account making the API request has the appropriate permissions to use the resource. Permissions are granted by setting policies that grant roles to a user, group, or service account. In addition to the basic roles, Owner, Editor, and Viewer , you can grant Firestore in Datastore mode roles to the users of your project.
The following table lists the Firestore in Datastore mode IAM roles. You can grant multiple roles to a user, group, or service account.
| Role | Permissions | Description |
|---|---|---|
roles/datastore.owner
|
appengine.applications.get
datastore.*
resourcemanager.projects.get
resourcemanager.projects.list
|
Full access to the database instance. For Datastore Admin access, grant the appengine.appAdmin
role to the principal. |
roles/datastore.user
|
appengine.applications.get
datastore.databases.get
datastore.databases.getMetadata
datastore.databases.list
datastore.entities.*
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.list
datastore.statistics.get
datastore.statistics.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Read/write access to data in a Datastore mode database. Intended for application developers and service accounts. |
roles/datastore.viewer
|
appengine.applications.get
datastore.databases.get
datastore.databases.getMetadata
datastore.databases.list
datastore.entities.get
datastore.entities.list
datastore.indexes.get
datastore.indexes.list
datastore.namespaces.get
datastore.namespaces.list
datastore.statistics.get
datastore.statistics.list
resourcemanager.projects.get
resourcemanager.projects.list
datastore.insights.get
|
Read access to all Datastore mode database resources. |
roles/datastore.importExportAdmin
|
appengine.applications.get
datastore.databases.export
datastore.databases.getMetadata
datastore.databases.import
datastore.operations.cancel
datastore.operations.get
datastore.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Full access to manage imports and exports. |
roles/datastore.bulkAdmin
|
resourcemanager.projects.get
resourcemanager.projects.list
datastore.databases.getMetadata
datastore.databases.bulkDelete
datastore.operations.cancel
datastore.operations.get
datastore.operations.list
|
Full access to manage bulk operations. |
roles/datastore.indexAdmin
|
appengine.applications.get
datastore.databases.getMetadata
datastore.indexes.*
datastore.operations.get
datastore.operations.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Full access to manage index definitions. |
roles/datastore.keyVisualizerViewer
|
datastore.databases.getMetadata
datastore.keyVisualizerScans.get
datastore.keyVisualizerScans.list
resourcemanager.projects.get
resourcemanager.projects.list
|
Full access to Key Visualizer scans. |
roles/datastore.backupSchedulesViewer
|
datastore.backupSchedules.get
datastore.backupSchedules.list
|
Read access to backup schedules in a Datastore mode database. |
roles/datastore.backupSchedulesAdmin
|
datastore.backupSchedules.get
datastore.backupSchedules.list
datastore.backupSchedules.create
datastore.backupSchedules.update
datastore.backupSchedules.delete
datastore.databases.list
datastore.databases.getMetadata
|
Full access to backup schedules in a Datastore mode database. |
roles/datastore.backupsViewer
|
datastore.backups.get
datastore.backups.list
|
Read access to backup information in a Datastore mode location. |
roles/datastore.backupsAdmin
|
datastore.backups.get
datastore.backups.list
datastore.backups.delete
|
Full access to backups in a Datastore mode location. |
roles/datastore.restoreAdmin
|
datastore.backups.get
datastore.backups.list
datastore.backups.restoreDatabase
datastore.databases.list
datastore.databases.create
datastore.databases.getMetadata
datastore.operations.list
datastore.operations.get
|
Ability to restore a Datastore mode backup into a new database. This role also gives the ability to create new databases, not necessarily by restoring from a backup. |
roles/datastore.cloneAdmin
|
datastore.databases.clone
datastore.databases.list
datastore.databases.create
datastore.databases.getMetadata
datastore.operations.list
datastore.operations.get
|
Ability to clone a Datastore mode database into a new database. This role also gives the ability to create new databases, not necessarily by cloning. |
roles/datastore.statisticsViewer
|
resourcemanager.projects.get
resourcemanager.projects.list
datastore.databases.getMetadata
datastore.insights.get
datastore.keyVisualizerScans.get
datastore.keyVisualizerScans.list
datastore.statistics.list
datastore.statistics.get
|
Read access to Insights, Stats, and Key Visualizer scans. |
Custom roles
If the predefined roles don't address your business requirements, you can define your own custom roles with permissions that you specify:
Required roles to create and manage tags
If any tag is represented in create or restore actions, some roles are required. See Creating and managing tags for more details on creating tag key-value pairs before associate them to the database resources.
The following listed permissions are required.
View tags
-
datastore.databases.listTagBindings -
datastore.databases.listEffectiveTags
Manage tags on resources
The following permission is required for the database resource you're attaching the tag value.
-
datastore.databases.createTagBinding
Required Permissions for API methods
The following table lists the permissions that the caller must have to call each method:
| Method | Required Permission(s) |
|---|---|
allocateIds
|
datastore.entities.allocateIds
|
beginTransaction
|
datastore.databases.get
|
commit
with empty mutations |
datastore.databases.get
|
commit
for an insert |
datastore.entities.create
|
commit
for an upsert |
datastore.entities.create
datastore.entities.update
|
commit
for an update |
datastore.entities.update
|
commit
for a delete |
datastore.entities.delete
|
commit
for a lookup |
datastore.entities.get
For a lookup related to metadata or statistics, see Required Permissions for Metadata and Statistics . |
commit
for a query |
datastore.entities.list
datastore.entities.get
(if the query is not a keys-only query
)For a query related to metadata or statistics, see Required Permissions for Metadata and Statistics . |
lookup
|
datastore.entities.get
For a lookup related to metadata or statistics, see Required Permissions for Metadata and Statistics . |
rollback
|
datastore.databases.get
|
runQuery
|
datastore.entities.list
datastore.entities.get
(if the query is not a keys-only query
)For a query related to metadata or statistics, see Required Permissions for Metadata and Statistics . |
runQuery
with a kindless query
|
datastore.entities.get
datastore.entities.list
datastore.statistics.get
datastore.statistics.list
|
Required Permissions for Metadata and Statistics
The following table lists permissions that the caller must have to call methods on Metadata and Statistics .
| Method | Required Permission(s) |
|---|---|
lookup
of entities with kind names matching __Stat_*__ |
datastore.statistics.get
|
runQuery
using kinds with names matching __Stat_*__ |
datastore.statistics.get
datastore.statistics.list
|
runQuery
using the kind __namespace__ |
datastore.namespaces.get
datastore.namespaces.list
|
Required roles to create a Datastore mode database instance
To create a new Datastore mode database instance, you require either the Owner role or the Datastore Owner role .
Datastore mode databases requires an active App Engine application.
If the project doesn't have an application, Firestore in Datastore mode creates one
for you. In that case, you require the appengine.applications.create
permission from the Owner
role or from an IAM custom role
containing
the permission.
Role change latency
Firestore in Datastore mode caches IAM permissions for 5 minutes, so it will take up to 5 minutes for a role change to become effective.
Managing IAM
You can get and set IAM policies using the Google Cloud console, the IAM methods, or the Google Cloud CLI.
- For the Google Cloud console, see Access control using the Google Cloud console .
- For the IAM methods, see Access control using the API .
- For the gcloud CLI, see Access control using the gcloud tool .
Configure conditional access permissions
You can use IAM Conditions to define and enforce conditional access control.
For example, the following condition assigns a principal the datastore.user
role up until a specified date:
{
"role"
:
"roles/datastore.user"
,
"members"
:
[
"user:travis@example.com"
],
"condition"
:
{
"title"
:
"Expires_December_1_2023"
,
"description"
:
"Expires on December 1, 2023"
,
"expression"
:
"request.time < timestamp('2023-12-01T00:00:00.000Z')"
}
}
To learn how to define IAM Conditions for temporary access, see Configure temporary access .
To learn how to configure IAM Conditions for access to one or more databases, see Configure database access conditions .
What's next
- Learn more about IAM .
- Grant IAM roles .
