Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[Firestore] Permission denials different when using `GOOGLE_APPLICATION_CREDENTIALS` versus setCredentials
See original GitHub issueI’ve got the following piece of code in the Firestore snippets:
String returnInfoFromTransaction(long population) throws Exception {
Map<String, Object> map = new HashMap<>();
map.put("population", population);
// Block until transaction is complete is using transaction.get()
db.collection("cities").document("SF").set(map).get();
// [START fs_return_info_transaction]
final DocumentReference docRef = db.collection("cities").document("SF");
ApiFuture<String> transaction =
db.runTransaction(
new Transaction.Function<String>() {
@Override
public String updateCallback(Transaction transaction) throws Exception {
DocumentSnapshot snapshot = transaction.get(docRef).get();
Long newPopulation = snapshot.getLong("population") + 1;
// conditionally update based on current population
if (newPopulation <= 1000000L) {
transaction.update(docRef, "population", newPopulation);
return "Population increased to " + newPopulation;
} else {
throw new Exception("Sorry! Population is too big.");
}
}
});
// Print information retrieved from transaction
System.out.println(transaction.get());
// [END fs_return_info_transaction]
return transaction.get();
}
I can initialize Firestore in two ways:
Option 1: Environment var
$ export GOOGLE_APPLICATION_CREDENTIALS="/usr/local/google/home/samstern/service-accounts/firestore-snippets/keyfile.json"
FirestoreOptions firestoreOptions = FirestoreOptions.getDefaultInstance().toBuilder()
.setProjectId(projectId)
.build();
Option 2: Explicit
FirestoreOptions firestoreOptions = FirestoreOptions.getDefaultInstance().toBuilder()
.setCredentials(GoogleCredentials.fromStream(new FileInputStream("/usr/local/google/home/samstern/service-accounts/firestore-snippets/keyfile.json")))
.setProjectId(projectId)
.build();
In both cases most of my API calls work (read, write, update, etc). However in the case of using the GOOGLE_APPLICATION_CREDENTIALS environment variable I get failures when running transactions and calling DocumentReference#getCollections():
java.util.concurrent.ExecutionException: com.google.api.gax.rpc.PermissionDeniedException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: Missing or insufficient permissions.
at com.google.common.util.concurrent.AbstractFuture.getDoneValue(AbstractFuture.java:500)
at com.google.common.util.concurrent.AbstractFuture.get(AbstractFuture.java:479)
at com.google.api.core.AbstractApiFuture.get(AbstractApiFuture.java:56)
at com.example.firestore.snippets.ManageDataSnippetsIT.testSimpleTransaction(ManageDataSnippetsIT.java:150)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
at org.junit.runners.Suite.runChild(Suite.java:128)
at org.junit.runners.Suite.runChild(Suite.java:27)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
at org.junit.runner.JUnitCore.run(JUnitCore.java:137)
at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:68)
at com.intellij.rt.execution.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:47)
at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:242)
at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:70)
Caused by: com.google.api.gax.rpc.PermissionDeniedException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: Missing or insufficient permissions.
at com.google.api.gax.rpc.ApiExceptionFactory.createException(ApiExceptionFactory.java:55)
at com.google.api.gax.grpc.GrpcExceptionCallable$ExceptionTransformingFuture.setException(GrpcExceptionCallable.java:118)
at com.google.api.gax.grpc.GrpcExceptionCallable$ExceptionTransformingFuture.onFailure(GrpcExceptionCallable.java:101)
at com.google.api.core.ApiFutures$1.onFailure(ApiFutures.java:61)
at com.google.common.util.concurrent.Futures$4.run(Futures.java:1123)
at com.google.common.util.concurrent.MoreExecutors$DirectExecutor.execute(MoreExecutors.java:435)
at com.google.common.util.concurrent.AbstractFuture.executeListener(AbstractFuture.java:900)
at com.google.common.util.concurrent.AbstractFuture.complete(AbstractFuture.java:811)
at com.google.common.util.concurrent.AbstractFuture.setException(AbstractFuture.java:675)
at io.grpc.stub.ClientCalls$GrpcFuture.setException(ClientCalls.java:458)
at io.grpc.stub.ClientCalls$UnaryStreamToFuture.onClose(ClientCalls.java:433)
at io.grpc.ForwardingClientCallListener.onClose(ForwardingClientCallListener.java:41)
at io.grpc.internal.CensusTracingModule$TracingClientInterceptor$1$1.onClose(CensusTracingModule.java:339)
at io.grpc.internal.ClientCallImpl.closeObserver(ClientCallImpl.java:443)
at io.grpc.internal.ClientCallImpl.access$300(ClientCallImpl.java:63)
at io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl.close(ClientCallImpl.java:525)
at io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl.access$600(ClientCallImpl.java:446)
at io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl$1StreamClosed.runInContext(ClientCallImpl.java:557)
at io.grpc.internal.ContextRunnable.run(ContextRunnable.java:37)
at io.grpc.internal.SerializingExecutor.run(SerializingExecutor.java:107)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:295)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: io.grpc.StatusRuntimeException: PERMISSION_DENIED: Missing or insufficient permissions.
at io.grpc.Status.asRuntimeException(Status.java:526)
... 17 more
Issue Analytics
- State:
- Created 6 years ago
- Comments:13 (8 by maintainers)
Top Results From Across the Web
Firestore Denied from Service Account - python - Stack Overflow
I have set up a service account (with owner permissions) and it won't allow me to access my own database. I do have...
Read more >Structuring Cloud Firestore Security Rules | Firebase - Google
Exceeding either limit results in a permission denied error. Some document access calls may be cached, and cached calls do not count towards...
Read more >Create a Firestore database by using a server client library
This quickstart shows you how to set up Firestore, add data, and read data by using the C#, Go, Java, Node.js, PHP, Python,...
Read more >How to fix Firestore Error: PERMISSION_DENIED - Medium
PERMISSION_DENIED: Missing or insufficient permissions. This message is the same for all platforms, Android, iOS, and web. How to avoid this ...
Read more >Trying to take a Firestore backup from one project...
I then created another Firebase Project, activated Firestore on it, and ... Permission 'storage.buckets.get' denied on resource (or it may not exist).`.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Please use
setCredentialsProvider: https://github.com/googleapis/java-firestore/blob/03ef755dd164e6f1ec749f3f985b913b5ae23d14/google-cloud-firestore-admin/src/main/java/com/google/cloud/firestore/v1/FirestoreAdminClient.java#L110setCredentialsProviderhas a higher “priority” and since we have to use it ourselves, you also have to use this method to apply your settings. Unfortunately, I cannot explain why we have two methods to begin with.