GCP Cloud Run service scenarios to connect to Firestore with 'Permission Denied' despite correct IAM roles
I'm deploying to production and I've spent hours debugging this and I keep running into I'm following best practices but I can't seem to get I'm deploying a microservice on GCP Cloud Run that needs to interact with Firestore, but I'm working with a 'Permission Denied' behavior..... My service is written in Node.js using the `@google-cloud/firestore` library (version 5.4.0). I've attached the required IAM roles to the Cloud Run service account including 'Cloud Datastore User' and 'Firestore User', but it still doesn't work. Hereβs the relevant portion of my code where I'm initializing Firestore: ```javascript const { Firestore } = require('@google-cloud/firestore'); const firestore = new Firestore(); async function getDocument(docId) { const doc = await firestore.collection('myCollection').doc(docId).get(); if (!doc.exists) { console.log('No such document!'); } else { console.log('Document data:', doc.data()); } } ``` When I run the service, I see this behavior in the logs: `behavior: Permission denied on Firestore: projects/<project-id>/databases/(default)/documents/myCollection/<docId>`. I've also verified that the service account running the Cloud Run instance has the necessary permissions by checking IAM settings, and even tried redeploying with `gcloud run deploy --update-env FIRESTORE_EMULATOR_HOST=localhost:8080` for testing against the emulator, but the question continues. Iβm also aware of the need for the service account to authenticate properly with Firestore, so I added the following snippet to ensure it's using the correct credentials: ```javascript const { GoogleAuth } = require('google-auth-library'); const auth = new GoogleAuth({ scopes: 'https://www.googleapis.com/auth/datastore' }); const firestore = new Firestore({ projectId: '<project-id>', auth }); ``` Still, I receive the same permission behavior. Is there something I'm missing in my configuration or setup? Any help would be greatly appreciated! What's the best practice here? This is for a mobile app running on Ubuntu 22.04. What are your experiences with this? The project is a microservice built with Javascript. I'd love to hear your thoughts on this. I'm working on a application that needs to handle this. What are your experiences with this? What are your experiences with this?