Create and manage databases

This page describes how to create, update, and deleteCloud Firestoredatabases. You can create multipleCloud Firestore databases perproject. You can use multiple databases to set up production and testingenvironments, to isolate customer data, and for data regionalization.

Free tier usage

Cloud Firestore offersfree tierthat lets you get started at no cost.

The free tier applies to only oneCloud Firestore database per project. Thefirst database that is created in a project without a free tier database willget the free tier. If the database with the free tier applied is deleted, thenext database created will receive the free tier.

Before you begin

You must complete the following before creating a database:

  1. If you haven't already, create a Firebase project: In theFirebase console, clickAdd project, thenfollow the on-screen instructions to create a Firebase project or to addFirebase services to an existingGoogle Cloud project.

  2. Assign appropriate Identity and Access Management roles as described in the next section.

Required roles

To create and manage databases, you need theOwner orDatastore OwnerIdentity and Access Management role. These roles grant the required permissions.

Required permissions

To manage databases, you need the following permissions:

  • Create a database:datastore.databases.create
  • Read database configuration:datastore.databases.getMetadata
  • Configure a database:datastore.databases.update
  • Delete a database:datastore.databases.delete
  • Clone a database:datastore.databases.clone

Create a database

To create aCloud Firestore database, use one of the following methods:

Firebase console

  1. In theFirebase console, go to theFirestore Database page.

    Go to Firestore Database

  2. ClickAdd database.
  3. SelectEnterprise edition. ClickNext.
  4. SelectFirestore with MongoDB compatibility.
  5. Enter a Database ID.
  6. Select a location for your database.
  7. ClickCreate.
Firebase CLI
firebase firestore:databases:create --editionEDITIONDATABASE_ID \--location=LOCATION
gcloud CLI

Use thegcloud firestore databases createcommand and set--edition=enterprise.

gcloud firestore databases create \--database=DATABASE_ID \--location=LOCATION \--edition=enterprise \--enable-mongodb-compatible-data-access

Replace the following:

To enable deletion protection, add the--delete-protection flag.You cannot delete a database with deletion protection enabled until youdisable this setting. This setting is disabled by default.

gcloud firestore databases create \--database=DATABASE_ID \--location=LOCATION \--edition=enterprise \--delete-protection

To addtagsto the database, use the--tagsflag. For example:

  • --tags=123/environment=production,123/costCenter=marketing
  • --tags=tagKeys/333=tagValues/444
Terraform

Use thegoogle_firestore_databaseresource and setdatabase_edition toENTERPRISE

resource"google_firestore_database""database"{name="DATABASE_ID"location_id="LOCATION"type="FIRESTORE_NATIVE"database_edition="ENTERPRISE"  // Optionaldelete_protection_state="DELETE_PROTECTION_STATE"}

Replace the following:

To enable deletion protection, setdelete_protection_state toDELETE_PROTECTION_ENABLED. You cannot delete a database with deletion protection enabled until you disable this setting. This setting is disabled by default.

Database ID

Valid database IDs include IDs that conform to thefollowing:

  • Includes only letters, numbers, and hyphen (-) characters.
  • Letters must be lowercase.
  • The first character must be a letter.
  • The last character must be a letter or number.
  • Minimum of 4 characters.
  • Maximum of 63 characters.
  • Must not be a UUID or resemble a UUID. For example, don't use an ID likef47ac10b-58cc-0372-8567-0e02b2c3d479.

If you delete a database, you cannot immediately re-use the database ID until after 5 minutes.

Delete protection

Use delete protection to prevent accidental deletion of a database.Delete protection works in the following way:

  • You cannot delete a database with delete protection enabled until you disabledelete protection.
  • Delete protection is disabled by default.
  • You can enable delete protection when you create the database or you canupdate a database configuration toenable delete protection.

List databases

Use one of the following methods to list your databases:

Firebase console

  1. In theFirebase console, go to theFirestore Database page.

    Go to Firestore Database

  2. ClickCloud Firestore to view all databases for the project.
gcloud CLI

Use thegcloud firestore databases listcommand to list all the databases in your project.

gcloud firestore databases list

View database details

To view details about a single database, use one of the following methods:

Firebase console

  1. In theFirebase console, go to theFirestore Database page.

    Go to Firestore Database

  2. Select a database from the list of databases.
gcloud CLI

Use thegcloud firestore databases describe command:

gcloud firestore databases describe --database=DATABASE_ID

ReplaceDATABASE_ID with a database ID.

Update database configuration

To update the configuration settings of a database, use thegcloud firestore databases updatecommand.

Use this command to change, enable, or disable delete protection.

Update the delete protection setting

To enable delete protection on a database, use thegcloud firestore databases updatecommand with the--delete-protection flag. For example:

gcloud CLI
gcloud firestore databases update --database=DATABASE_ID --delete-protection

ReplaceDATABASE_ID with a database ID.

To disable delete protection on a database, use thegcloud firestore databases updatecommand with the--no-delete-protection flag. For example:

gcloud CLI
gcloud firestore databases update --database=DATABASE_ID --no-delete-protection

ReplaceDATABASE_ID with a database ID.

Delete a database

To delete a database, use the console or command-line tool.Deleting a database does not incur charges for delete operations.

If the database has the delete protection setting enabled, you mustfirstdisable delete protection.

Firebase console

  1. In theFirebase console, go to theFirestore Database page.

    Go to Firestore Database

  2. Select the database you want to delete.
  3. ClickView more.
  4. ClickDelete to delete the database.
gcloud CLI

Use the`gcloud firestore databases delete` command.

gcloud firestore databases delete --database=DATABASE_ID

ReplaceDATABASE_ID with the ID of the database to delete.

Clone a database

You can clone an existing database at a selected timestamp into a new database:

  • The cloned database is a new database that will be created in the samelocation as the source database.

    To make a clone,Cloud Firestore usespoint-in-time recovery (PITR) data of the source database. The cloned database includes all data and indexes.

  • By default, the cloned database will be encrypted in the same way as thesource database, using either Google's default encryption orCMEK encryption. You can specify a differentencryption type or use a different key for CMEK encryption.

  • The timestamp has a granularity of one minute and specifies a point of timein the past, in the period defined by thePITR window:

    • If PITR is enabled for your database, you select any minute in the last 7days (or less if PITR was enabled less than 7 days ago).
    • If PITR isn't enabled, you can select any minute in the past hour.
    • You can check the earliest timestamp that you can pickin your database's description.
Note: To clone databases, your Google Account must have thedatastore.databases.clone IAM permission.

Console

  1. In the Google Cloud console, go to theDatabases page.

    Go to Databases

  2. ClickView more in thetable row for the database that you want to clone. ClickClone. TheCreate a clone dialog appears.

  3. In theCreate a clone dialog, provide parameters for cloning thedatabase:

    1. In theGive the clone an ID field, adatabase IDfor a new cloned database. This database ID must not be associatedwith an existing database.

    2. In theClone from field, select a point in time to use for cloning.The selected time corresponds to a PITR timestamp, at the minutegranularity.

  4. ClickCreate clone.

Note: The cloned database will have thesame encryption configuration asthe source database. If you want to specify a different encryptionconfiguration for the cloned database, you can use Google Cloud CLI commands.

gcloud

Use thegcloud firestore databases clonecommand to clone a database:

gcloudfirestoredatabasesclone\--source-database='SOURCE_DATABASE'\--snapshot-time='PITR_TIMESTAMP'\--destination-database='DESTINATION_DATABASE_ID'

Replace the following:

  • SOURCE_DATABASE: the database name of an existing database that you want to clone. The name uses the formatprojects/PROJECT_ID/databases/SOURCE_DATABASE_ID.

  • PITR_TIMESTAMP: aPITR timestamp in theRFC 3339 format, at minutegranularity. For example:2025-06-01T10:20:00.00Z or2025-06-01T10:30:00.00-07:00.

  • DESTINATION_DATABASE_ID: adatabase IDfor a new cloned database. This database ID must not be associated withan existing database.

Example:

gcloudfirestoredatabasesclone\--source-database='projects/example-project/databases/example-source-db'\--snapshot-time='2025-06-01T10:20:00.00Z'\--destination-database='example-dest-db'

If you want to bind to some tags while cloning a database, use the previous command with the--tags flag, which is an optional list of tags KEY=VALUE pairs to bind.

Example:

gcloudfirestoredatabasesclone\--source-database='projects/example-project/databases/(default)'\--snapshot-time='2025-06-01T10:20:00.00Z'\--destination-database='example-dest-db'\--tags=key1=value1,key2=value2

By default, the cloned database will have the same encryption configurationas the source database. To change the encryption configuration, use the--encryption-type argument:

  • (Default)use-source-encryption: use the same encryption configurationas the source database.
  • google-default-encryption: use Google's default encryption.
  • customer-managed-encryption: use CMEK encryption. Specify akey IDin the--kms-key-name argument.

The following example shows how to configure CMEK encryption for the cloneddatabase:

gcloudfirestoredatabasesclone\--source-database='projects/example-project/databases/example-source-db'\--snapshot-time='2025-06-01T10:20:00.00Z'\--destination-database='example-dest-db'\--encryption-type='customer-managed-encryption'\--kms-key-name='projects/example-project/locations/us-central1/keyRings/example-key-ring/cryptoKeys/example-key'

Configure per-database access permissions

You can useIdentity and Access Management Conditionsto configure access permissions on a per-database level.The following examples use the Google Cloud CLI to assign conditional access forone or more databases. You can alsodefine IAM conditions in the Google Cloud console.

Warning: The Google Cloud console does not allow nor deny access to databasesbased on IAM conditions configured at the database level.IAM conditions are enforced when accessing databases outside ofthe Google Cloud console such as with the REST API or the client libraries.

View existing IAM policies

gcloud projects get-iam-policyPROJECT_ID

SetPROJECT_ID to your project ID.

Grant access to a database

gcloud projects add-iam-policy-bindingPROJECT_ID \--member='user:EMAIL' \--role='roles/datastore.user' \--condition='expression=resource.name=="projects/PROJECT_ID/databases/DATABASE_ID",title=TITLE,description=DESCRIPTION'

Set the following:

  • PROJECT_ID: your project ID
  • EMAIL: an email address that represents a specific account. For example,alice@example.com.
  • DATABASE_ID: a database ID.
  • TITLE: an optional title for the expression.
  • DESCRIPTION: an optional description of the expression.

Grant access to all except one database

gcloud projects add-iam-policy-bindingPROJECT_ID \--member='user:EMAIL' \--role='roles/datastore.user' \--condition='expression=resource.name!="projects/PROJECT_ID/databases/DATABASE_ID",title=TITLE,description=DESCRIPTION'

Set the following:

  • PROJECT_ID: your project ID
  • EMAIL: an email address that represents a specific account. For example,alice@example.com.
  • DATABASE_ID: a database ID.
  • TITLE: an optional title for the expression.
  • DESCRIPTION: an optional description of the expression.

Remove policies for a given member and role

gcloud projects remove-iam-policy-bindingPROJECT_ID \--member='user:EMAIL' \--role='roles/datastore.user' --all

Set the following:

  • PROJECT_ID: your project ID
  • EMAIL: an email address that represents a specific account. For example,alice@example.com.

Limitations

You can have a maximum of 100 databases per project.You cancontact support to request anincrease to this limit.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.