Service account does not have permission to access Firestore

Question

I have a server side app that does not run on node.js (a Cloudflare Worker), so I'm trying to access Firestore resources via REST calls and not through the Admin SDK.

I have a default service account created automatically for the Admin SDK, and I created another service account manually in the GCP console.

After obtaining an OAuth token for the default service account, I'm able to access protected resources. However, with the newly created service account, I can't access resources even if the security rule is set to if true.

What permissions would I have to give this manually created service account in order to allow it access?

Answer 1

Creating a service account by itself grants no permissions. The Permissions tab in IAM & Admin > Service Accounts shows a list of "Principals with access to this account" - this is not the inheritance of permissions, it's simply which accounts, aka principals, can make use of the permissions granted to this service account. The "Grant Access" button on this page is about granting other principals access to this service account, not granting access to resources for this service account.

For Firestore access specifically - go to IAM & Admin > IAM, and you'll be on the permissions tab. Click "Add" at the top of the page. Type in your newly created service account under "New Principals", and for roles, select "Cloud Datastore Owner".

Note: Firestore is the next generation of Datastore, but this legacy role name has remained.