K
Q

How can A service of Google Cloud Run for Anthos on GKE connect to Firestore on different project of different organization?

9/27/2019

I made a service of Cloud Run for Anthos on GKE. And Then, I want to make it connect to the Firestore on a Project of a diffrent Organization. How can it make connect to Firestore?

I created a service of Cloud Run for Anthos on GKE on ProjectA of OrganizationA. The programming language of the service of Cloud Run is Java, google-cloud-firestore library.

And, I created a Firestore DB on ProjectB of OrganizationB(No organization).

And then, tried to acces the Cloud Run Service to FirestoreDB, I got the error message like blow.

{"message":"Internal Server Error: com.google.api.gax.rpc.PermissionDeniedException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: Missing or insufficient permissions."}
-- SpaceNet
google-anthos
google-cloud-firestore
google-cloud-run
google-kubernetes-engine
java

Similar Questions

Is `helm reset --force` meant to be executed once per physical host or once per cluster?
what is Environment <none> in a kubectl describe pod command
How can one attach two network interfaces to a single pod in kubernetes?
Port forward service in minikube after using minikube tunnel
tolerations on ECK pods
Can I create a kubernetes role in &#39;exclude mode&#39;?

1 Answer

9/27/2019

All depends your requirement. According with this page, grant the service account with roles/datastore.user or roles/datastore.viewer in the IAM section of the project B (click on Add and paste the email of the service account).

According with your GKE deployment, service account can be the default compute service account (<projectNumber>-compute@developer.gserviceaccount.com) or something else if you have customized your cluster/workload Identity

-- guillaume blaquiere
Source: StackOverflow