Login/Register
"DatastoreException: Missing or insufficient permissions" on superseded Cloud Datastore
Asked Answered
Solved google-cloud-firestoregoogle-cloud-datastore
F

2

8

We have an older application based on the AppEngine SDK (now deprecated) and the superseded Cloud Datastore. In the process of migrating to Google Cloud SDK we also decided to move from JPA/Datanucleus to Objectify.

Given that the Cloud Datastore will be automatically upgraded to Cloud Firestore in Datastore mode sometime in the future, we decided to test our application as described at the bottom of this page: https://cloud.google.com/datastore/docs/upgrade-to-firestore#testing_an_existing_application

1) Create a new project. In this project, create a Cloud Firestore in Datastore mode database.

2) Using the managed export service, export some of your application's data to Cloud Storage.

3) Using the managed import service, import your application's data to your new project.

4) Copy app logic you want to test to the new project or simulate app behaviour against the new project.

That's what we did and after some issues we could make a portion of our application run fine with the new datastore in a separate test project.

Now to the actual issue...

We wanted to test if the updated application could also run with the superseded Cloud Datastore, so we won't have to worry when the automatic upgrade occurs (as our app will be already ready). So we deployed it as a new version of the existing AppEngine project (v2-dot-.....): unfortunately running the new version throws a permission error as soon as the app tries to read the datastore:

com.google.cloud.datastore.DatastoreException: Missing or insufficient permissions

So the questions are: - could this be related to the Cloud Datastore not being upgraded to Cloud Firestore in Datastore mode for our project yet? - is there anything we can do (add specific permissions maybe) to make it work anyway?

Our concern is that we need to have the new version of the app deployed before July 2020 (that's when the older AppEngine SDK will stop working), and we are worried that the automatic upgrade of the datastore will occur later.

Thank you for your help.

Farrago answered 6/12, 2019 at 9:13 Comment(4)
Looks like an IAM permission issue. Please make sure that you have the correct IAM permissions when accessing your Cloud Firestore in Datastore mode database. Check out this link. Hope it helpsDeville
Thank you for your message. The app works fine with Cloud Firestore in Datastore mode; the permission issue occurs when it connects to the older Cloud Datastore.Farrago
You said that you created a new project that has Cloud Firestore in Datastore mode. Are you using a new App Engine in your new project or are you using the App Engine from your older project? In that case, you will need to give the correct permissions to your new App Engine associated service account to access Cloud Datastore from your older project, as shown in my previous comment. However, if you managed to get Cloud Firestore in Datastore mode working with your App Engine, why would you like to go backwards now?Deville
I need to upgrade an existing app to the new SDK. But the app still uses Cloud Datastore, until Google will automatically convert it to Cloud Firestore in Datastore Mode. So I tested the new version in a new test-only project and it works fine, but now I have to deploy it to the old project (there's a reason why we can't use a new project). But you were right, the issue is IAM and the members. Thanks to your suggestion I found the solution (see my answer below).Farrago
F
10

Turned out our project doesn't have the [email protected] member in IAM.

It has a pletora of other members (for example: [email protected], [email protected], [email protected], etc) which I guess are legacy members used in previous versions of Google App Engine.

Adding [email protected] with the role Editor fixed the issue: now the new version can be deployed to the old projects and it works fine even if the datastore has not yet been converted to Cloud Firestore in Datastore Mode.

Farrago answered 6/12, 2019 at 16:5 Comment(5)
I had the same problem with an old GAE app that was working fine and then suddenly started giving errors. Adding this member to IAM under the (new) GCP Dashboard got the project back up and running. I've not touched this project in ages, so this really helped me out. Thanks a million!Angy
I'm trying to debug a similar issue but having no luck. It looks like I do have an appspot.gserviceaccount.com listed in my service account section.Emilemile
This solved my problem too, also on an old app that suddenly started giving errors. Life saver, thank you! I am also curious how you worked this out... I trawled docs for ages but never came close to discovering this issue.Sirkin
How did you solve this? I found the IAM dashboard but I am having trouble adding thiis.Tassel
I had a similar case, but it wasn't when using appspot. In my scenario, I was trying to give credentials to one project, and somehow Datastore's client was trying to point to another project (the instance was on GCE). I've enforced the project when creating the client (DatastoreOptions) and it fixed this error.Tengler
E
3

I just ran into this issue and spent way too much time troubleshooting it. Nine times out of ten if you're running into this issue it's because the default App Engine service account doesn't have permission to edit Cloud Datastore. The default App Engine service account is used by default if you're doing a simple gcloud app deploy and nothing else fancy. I solved the problem by giving the default App Engine service account the roles/datastore.owner role with the following:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="serviceAccount:[email protected]" \
    --role="roles/datastore.owner"
Election answered 29/6, 2021 at 22:32 Comment(1)
gcloud projects add-iam-policy-binding $PROJECT_ID --member="serviceAccount:[email protected]" --role="roles/datastore.owner"Putrid

© 2022 - 2024 — McMap. All rights reserved.