Authenticate Google Firestore in Cloud Functions (Python)

1
votes

I'm using a Google Cloud Function to perform some actions on my Firestore collection at set intervals using Cloud Scheduler (all in the same project).

It function itself is working fine and authenticating. However, I'm authenticating using the service account JSON in my python code as per below:

cred = credentials.Certificate({
  "type": "service_account",
  "project_id": "...",
  "private_key_id": "...",
  "private_key": "...",
  "client_email": "...",
  "client_id": "...",
  "auth_uri": "...",
  "token_uri": "...,
  "auth_provider_x509_cert_url": "...",
  "client_x509_cert_url": "..."
})
firebase_admin.initialize_app(cred)
db = firestore.client()

I know that there is a better way to authenticate, given the database and function are in the same Google Cloud project. However, I can't find any documentation on how to do this via the inline editor.

How can I authenticate to, and reference my Firestore database without using the service account?

3
python-3.xfirebasegoogle-cloud-platformgoogle-cloud-firestoregoogle-cloud-functions
Have you checked the Python samples from Google for GCP? link There you may find code snippets for Cloud Functions and Firestore.Juancki

3 Answers

1
votes

Your Cloud Function must use a service account to connect to Firestore. Normally this is the App Engine default service account with id [email protected]. If you'd like to use a different service account then you can assign a per-function identity.

As a result of all this, your code doesn't actually need to create a credential or anything like that. Take a look at this (unofficial) community tutorial for a working example. You can replace the Javascript with the Python code example provided below or check the snippets in the GitHub examples repo:

from google.cloud import firestore

# Add a new document
db = firestore.Client()
doc_ref = db.collection(u'users').document(u'alovelace')
doc_ref.set({
    u'first': u'Ada',
    u'last': u'Lovelace',
    u'born': 1815
})

# Then query for documents
users_ref = db.collection(u'users')

for doc in users_ref.stream():
    print(u'{} => {}'.format(doc.id, doc.to_dict()))
0
votes

Every cloud function has an identity which is defined by the service account that is assigned to it. By default, the cloud function will be assigned AppEngine default service account. You need to create a service account with required roles for interacting with Firestore and assign it to the cloud function either using the CLI or the Console.

Refer to the following for required permissions for Firestore-

https://cloud.google.com/firestore/docs/security/iam

And to create a service account, if you don't know how to-

https://cloud.google.com/iam/docs/creating-managing-service-accounts

And finally, to assign custom identity to the cloud function-

https://cloud.google.com/functions/docs/securing/function-identity#per-function_identity

Hope this helps!

0
votes

Python example below shows, how to add a document to firestore from google cloud functions. In cloud functions, inline editor, add below function in main.py

def add_document_to_firestore():
    from google.cloud import firestore
    db = firestore.Client()
    doc_ref = db.collection(u'collectionName').document(u'documentID')
    doc_ref.set({
        u'column1': u'value1',
        u'first': u'Mathison',
        u'last': u'Turing',
        u'born': 1912
    })

In requirements.txt file, add

google-cloud-firestore==2.0.2

You can now add parameters to above function and call this cloud function URL from the application.