10

I would like a Google Cloud project A (project-a-id) to access the firestore data of another Google Cloud project B (project-b-id). For the same I added project A default service account viz. project-a-id@appspot.gserviceaccount.com in the IAM of project B and set the role to Cloud Filestore Editor.

In the cloud function of project A, I am trying to access both project A's (its own) firestore as well as project B's firestore but it keeps showing project A default database for both Apps. The code is:

var primaryAppConfig = {
  databaseURL: 'https://project-a-id.firebaseio.com'
};
var primaryApp = admin.initializeApp(primaryAppConfig, 'primary');
var primarydb = admin.firestore(primaryApp);

var secondaryAppConfig = {
  databaseURL: 'https://project-b-id.firebaseio.com'
};
var secondaryApp = admin.initializeApp(secondaryAppConfig, 'secondary');
var secondarydb = admin.firestore(secondaryApp);

I was under the impression if the default service account of project-a is given rights in project-b it should automatically get rights. At least I found it applicable when I am accessing google cloud storage buckets in this manner.

Is something else to be done? Thanks

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
RmR
  • 1,917
  • 1
  • 22
  • 35
  • *"but it keeps showing project A default database for both Apps"*. I don't know what this means. What specifically are you observing here? Do you have code that reproduces the behavior you don't understand? – Doug Stevenson Mar 09 '19 at 17:21
  • Try setting the `projectId` option in the app options (especially in the `secondaryAppConfig`). – Hiranya Jayathilaka Mar 09 '19 at 22:15
  • @DougStevenson: what I meant by *showing same database* is: that if I console log the primarydb and secondarydb, the resulting object shows `project-id` as the same viz. project-a-id – RmR Mar 10 '19 at 05:32
  • Thanks @HiranyaJayathilaka: when I add `projectId:project-b-id` in secondaryAppConfig I get a permission error. I must mention that if I download the private key of the default service account from the project-b settings from firebase console it works by passing it as credentials in secondaryAppConfig. But fail to understand why when I set the project-a default service account in IAM of project-b it does not work. – RmR Mar 10 '19 at 05:40
  • 1
    This is the error: `Error: 7 PERMISSION_DENIED: Missing or insufficient permissions.` – RmR Mar 10 '19 at 05:43
  • Sounds like `Cloud Firestore Editor` role is insufficient to access the required endpoints. Try giving is a broader set of privileges (I understand it's not a best practice, but at least it will help us understand the problem a little better). I'd say start with the `Editor` role on the project. – Hiranya Jayathilaka Mar 11 '19 at 18:43
  • `Cloud Filestore Editor` is different from `Cloud Firestore Editor`. In fact, there is no `Cloud Firestore Editor` as of now... which makes me wonder if Firestore isn't included in all this. FYI I also tried `Firebase Admin` and `Firebase Rules Viewer` to no avail. – galki Nov 03 '19 at 01:14
  • Firestore permissions are listed under the namespace `Cloud Datastore` rather than `Cloud Firestore`. The permission that was required here is `Cloud Datastore User`. – Asleepious Aug 08 '22 at 15:04

2 Answers2

1

I have a cloud-native firestore as opposed to a real-time database in project-a. However, was facing the same issue when I tried to access it from project-b.
Was able to solve it by generating a service account with access to project-a firestore, downloading the credentials and accessing the same from project-b with the following:

credential_path = "pathTo/xxxxx.json"
db = firestore.Client.from_service_account_json(credential_path)
1737973
  • 159
  • 18
  • 42
Ganesh Parkar
  • 11
  • 2
0

You need to create apps within current firebase project.

Firebase Console -> Project Setting -> General -> Add App

These apps will have access to same firestore but will be deployed seperately under different subdomains(under firebaseapp.com).

jsbisht
  • 9,079
  • 7
  • 50
  • 55