I followed all the steps contained on Google documentation on moving data between projects to export a dev database from one project in Firestore to Prodcution (another project in Firestore).
Everything went fine, but when I go to the last step that is actually import the copied bucket to the Firestore database, I’m having permission issues receiving the error below:
ERROR: (gcloud.firestore.import) PERMISSION_DENIED: Service account does not have access to Google Cloud Storage file: /trasnf-dev-prod. See https://cloud.google.com/datastore/docs/export-import-entities/#permissions for a list of permissions needed. This command is authenticated as [email protected] which is the active account specified by the [core/account] property.
/transf-dev-prod –> Is the source bucket
I’m running the command from the Cloud Shell with the destination project configured.
This is the command that I’m using on the cloud shell that is presenting me the permission issues:
gcloud firestore import gs://trasnf-dev-prod/2024-12-24T00:30:21_45719 --async
Any light on what I need to do to make it work?
1
It seems the issue you are encountering is related to permissions for the service account you are using when performing the import operation. As stated in the documentation
The Firestore service agent requires access to the Cloud Storage bucket used in an export or import operation. If your Cloud Storage bucket is in the same project as your Firestore database, then the Firestore service agent can access the bucket by default.
If the Cloud Storage bucket is in another project, then you must give the Firestore service agent access to the Cloud Storage bucket.
For import operations involving a Cloud Storage bucket in another project, modify the permissions of the bucket to assign one of the following Cloud Storage roles.Assign roles to the service agent
You can use the gsutil command-line tool to assign one of the roles below. For example, to assign the Storage Admin role to the Firestore service agent, run the following:
gsutil iam ch serviceAccount:[email protected]:roles/storage.admin
gs://[BUCKET_NAME]
Replacing [service-XXX] and [bucket-name]