Identity and Access Management (IAM)
Manage access to your resources with Identity and Access Management (IAM).IAM lets you give more granular access to specificGoogle Cloudresources and prevents unwanted access to other resources. Thispage describes the IAM permissions and roles forCloud Firestore. For a detailed description of IAM, read theIAM documentation.
IAM lets you adopt thesecurity principle of least privilege,so you grant only the necessary access to your resources.
IAM lets you controlwho (user) haswhat (role)permission forwhich resources by setting IAM policies.IAM policies grant one or more roles to a user, giving theuser certain permissions. For example, you can grant thedatastore.indexAdminrole to a user, which allows the user to create, modify, delete, list, or viewindexes.
Permissions and roles
This section summarizes the permissions and roles thatCloud Firestoresupports.
Note: SomeCloud Firestore permissions differ from the standardIAM model permissions. For example, in the IAMmodel, thedatastore.databases.getpermission lets you return a database object while, inCloud Firestore,datastore.databases.get lets you begin orroll back a transaction. To retrieve a database object's information, use thedatastore.databases.getMetadata permission.Required permissions for API methods
The following table lists the permissions that the caller must have to performeach action:
| Method | Required permissions | |
|---|---|---|
projects.databases.MongoDBCompatible | ||
ListDatabases | datastore.databases.getMetadata | |
ListIndexes | datastore.indexes.list | |
Find | datastore.entities.getdatastore.entities.list | |
Aggregate | datastore.entities.getdatastore.entities.list | |
GetMore | The same permissions that were required by the call that created the cursor. | |
ListCollections | datastore.entities.list | |
Count | datastore.entities.list | |
Distinct | datastore.entities.getdatastore.entities.list | |
CommitTransaction | datastore.databases.get | |
AbortTransaction | datastore.databases.get | |
EndSessions | datastore.databases.get | |
KillCursors | datastore.databases.get | |
Insert | datastore.entities.create | |
Update | datastore.entities.getdatastore.entities.listdatastore.entities.updatedatastore.entities.create (for upsert only) | |
FindAndModify | datastore.entities.getdatastore.entities.listdatastore.entities.update (for replace or update only)datastore.entities.create (for upsert only)datastore.entities.delete (for delete only) | |
CreateCollection | datastore.entities.create | |
projects.databases.indexes | ||
create | datastore.indexes.create | |
delete | datastore.indexes.delete | |
get | datastore.indexes.get | |
list | datastore.indexes.list | |
projects.databases | ||
create | datastore.databases.create | |
delete | datastore.databases.delete | |
get | datastore.databases.getMetadata | |
list | datastore.databases.list | |
patch | datastore.databases.update | |
| restore | datastore.backups.restoreDatabase | |
clone | datastore.databases.clone | Clone a database. If your
If you would like to verify whether the tag bindings are set successfully by listing the bindings, then the following additional permissions are required:
|
projects.locations | ||
get | datastore.locations.get | |
list | datastore.locations.list | |
projects.databases.backupschedules | ||
get | datastore.backupSchedules.get | |
list | datastore.backupSchedules.list | |
create | datastore.backupSchedules.create | |
update | datastore.backupSchedules.update | |
delete | datastore.backupSchedules.delete | |
projects.locations.backups | ||
get | datastore.backups.get | |
list | datastore.backups.list | |
delete | datastore.backups.delete | |
projects.databases.usercreds | ||
get | datastore.userCreds.get | |
list | datastore.userCreds.list | |
create | datastore.userCreds.create | |
enable | datastore.userCreds.update | |
disable | datastore.userCreds.update | |
resetPassword | datastore.userCreds.update | |
delete | datastore.userCreds.delete | |
Predefined roles
With IAM, every API method inCloud Firestorerequires that the account making the API request has the appropriate permissionsto use the resource. Permissions are granted by setting policies that grantroles to a user, group, or service account. In addition to the primitive roles,owner, editor, and viewer,you can grantCloud Firestore roles to the users of your project.
The following table lists theCloud Firestore IAMroles. You can grant multiple roles to a user, group, or service account.
| Role | Permissions | Description |
|---|---|---|
roles/datastore.owner | appengine.applications.getdatastore.*resourcemanager.projects.getresourcemanager.projects.list | Full access toCloud Firestore. |
roles/datastore.user | appengine.applications.getdatastore.databases.getdatastore.databases.getMetadatadatastore.databases.listdatastore.entities.*datastore.indexes.listdatastore.namespaces.getdatastore.namespaces.listdatastore.statistics.getdatastore.statistics.listresourcemanager.projects.getresourcemanager.projects.list | Read/write access to data in aCloud Firestore database. Intended for application developers and service accounts. |
roles/datastore.viewer | appengine.applications.getdatastore.databases.getdatastore.databases.getMetadatadatastore.databases.listdatastore.entities.getdatastore.entities.listdatastore.indexes.getdatastore.indexes.listdatastore.namespaces.getdatastore.namespaces.listdatastore.statistics.getdatastore.statistics.listresourcemanager.projects.getresourcemanager.projects.list | Read access to allCloud Firestore resources. |
roles/datastore.indexAdmin | appengine.applications.getdatastore.databases.getMetadatadatastore.indexes.*datastore.operations.listdatastore.operations.getresourcemanager.projects.getresourcemanager.projects.list | Full access to manage index definitions. |
roles/datastore.backupSchedulesViewer | datastore.backupSchedules.getdatastore.backupSchedules.list | Read access to backup schedules in aCloud Firestore database. |
roles/datastore.backupSchedulesAdmin | datastore.backupSchedules.getdatastore.backupSchedules.listdatastore.backupSchedules.createdatastore.backupSchedules.updatedatastore.backupSchedules.deletedatastore.databases.listdatastore.databases.getMetadata | Full access to backup schedules in aCloud Firestore database. |
roles/datastore.backupsViewer | datastore.backups.getdatastore.backups.list | Read access to backup information in aCloud Firestore location. |
roles/datastore.backupsAdmin | datastore.backups.getdatastore.backups.listdatastore.backups.delete | Full access to backups in aCloud Firestore location. |
roles/datastore.restoreAdmin | datastore.backups.getdatastore.backups.listdatastore.backups.restoreDatabasedatastore.databases.listdatastore.databases.createdatastore.databases.getMetadatadatastore.operations.listdatastore.operations.get | Ability to restore aCloud Firestore backup into a new database. This role also gives the ability to create new databases, not necessarily by restoring from a backup. |
roles/datastore.cloneAdmin | datastore.databases.clonedatastore.databases.listdatastore.databases.createdatastore.databases.getMetadatadatastore.operations.listdatastore.operations.get | Ability to clone aCloud Firestore database into a new database. This role also gives the ability to create new databases, not necessarily by cloning. |
roles/datastore.statisticsViewer | resourcemanager.projects.getresourcemanager.projects.listdatastore.databases.getMetadatadatastore.insights.getdatastore.keyVisualizerScans.getdatastore.keyVisualizerScans.listdatastore.statistics.listdatastore.statistics.get | Read access to Insights, Stats, and Key Visualizer scans. |
roles/datastore.userCredsViewer | datastore.userCreds.getdatastore.userCreds.list | Read access to user credentials in aCloud Firestore database. |
roles/datastore.userCredsAdmin | datastore.userCreds.getdatastore.userCreds.listdatastore.userCreds.createdatastore.userCreds.updatedatastore.userCreds.deletedatastore.databases.listdatastore.databases.getMetadata | Full access to user credentials in aCloud Firestore database. |
Custom roles
If the predefined roles do not address your business requirements,you can define your own custom roles with permissions thatyou specify:
Required roles to create and manage tags
If any tag is represented in create or restore actions, some roles are required. SeeCreating and managing tags for more details on creating tag key-value pairs before associate them to the database resources.
The following listed permissions are required.
View tags
datastore.databases.listTagBindingsdatastore.databases.listEffectiveTags
Manage tags on resources
The following permission is required for the database resource you're attaching the tag value.
datastore.databases.createTagBinding
Permissions
The following table lists the permissions thatCloud Firestore supports.
| Database permission name | Description | |
|---|---|---|
datastore.databases.get | Begin or rollback a transaction. | |
datastore.databases.getMetadata | Read metadata from a database. | |
datastore.databases.list | List databases in a project. | |
datastore.databases.create | Create a database. | |
datastore.databases.update | Update a database. | |
datastore.databases.delete | Delete a database. | |
datastore.databases.clone | Clone a database. | |
datastore.databases.createTagBinding | Create a tag binding for a database. | |
datastore.databases.deleteTagBinding | Delete a tag binding for a database. | |
datastore.databases.listTagBindings | List all tag bindings for a database. | |
datastore.databases.listEffectiveTagBindings | List effective tag bindings for a database. | |
| Entity permission name | Description | |
datastore.entities.create | Create a document. | |
datastore.entities.delete | Delete a document. | |
datastore.entities.get | Read a document. | |
datastore.entities.list | List the names of documents in a project. ( datastore.entities.get is required to access the document data.) | |
datastore.entities.update | Update a document. | |
| Index permission name | Description | |
datastore.indexes.create | Create an index. | |
datastore.indexes.delete | Delete an index. | |
datastore.indexes.get | Read metadata from an index. | |
datastore.indexes.list | List the indexes in a project. | |
datastore.indexes.update | Update an index. | |
| Operation permission name | Description | |
datastore.operations.cancel | Cancel a long-running operation. | |
datastore.operations.delete | Delete a long-running operation. | |
datastore.operations.get | Gets the latest state of a long-running operation. | |
datastore.operations.list | List long-running operations. | |
| Project permission name | Description | |
resourcemanager.projects.get | Browse resources in the project. | |
resourcemanager.projects.list | List owned projects. | |
| Location permission name | Description | |
datastore.locations.get | Get details about a database location. Required to create a new database. | |
datastore.locations.list | List available database locations. Required to create a new database. | |
| Key Visualizer permission name | Description | |
datastore.keyVisualizerScans.get | Get details about Key Visualizer scans. | |
datastore.keyVisualizerScans.list | List available Key Visualizer scans. | |
| Backup Schedule permission name | Description | |
datastore.backupSchedules.get | Get details about a backup schedule. | |
datastore.backupSchedules.list | List available backup schedules. | |
datastore.backupSchedules.create | Create a backup schedule. | |
datastore.backupSchedules.update | Update a backup schedule. | |
datastore.backupSchedules.delete | Delete a backup schedule. | |
| Backup permission name | Description | |
datastore.backups.get | Get details about a backup. | |
datastore.backups.list | List available backups. | |
datastore.backups.delete | Delete a backup. | |
datastore.backups.restoreDatabase | Restore a database from a backup. | |
| Insights permission name | Description | |
datastore.insights.get | Get insights of a resource | |
| User credentials permission name | Description | |
datastore.userCreds.get | Get details about user credentials. | |
datastore.userCreds.list | List available user credentials. | |
datastore.userCreds.create | Create user credentials. | |
datastore.userCreds.update | Enable or disable user credentials, or reset a user password. | |
datastore.userCreds.delete | Delete user credentials. |
Role change latency
Cloud Firestore caches IAM permissions for 5 minutes,so it takes up to 5 minutes for a role change to become effective.
ManagingCloud Firestore IAM
You can get and set IAM policies using the Google Cloud console,the IAM API, or thegcloud command-line tool. SeeGranting, Changing, and Revoking Access to Project Membersfor details.
Configure conditional access permissions
You can useIAM Conditions todefine and enforce conditional access control.
For example, the following condition assigns a principal thedatastore.userrole up until a specified date:
{"role":"roles/datastore.user","members":["user:travis@example.com"],"condition":{"title":"Expires_December_1_2023","description":"Expires on December 1, 2023","expression":"request.time < timestamp('2023-12-01T00:00:00.000Z')"}}To learn how to define IAM Conditions for temporary access,seeConfigure temporary access.
To learn how to configure IAM Conditions for access to one or moredatabases, seeConfigure database access conditions.
What's next
- Learn more aboutIAM.
- Grant IAM roles.
- Learn aboutauthentication.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-18 UTC.