FireStore permission denied on basic requests Xamarin Forms

Question

I have been struggling with this problem for a few days now and I am not making much progress, any help would be appreciated. I am new to FireStore but really like the possibilities it offers. I have successfully managed to get basic documents from Android and iOS apps using Plugin.CloudFirestore and Xamarin.Forms.

However I need some back-end services, things like data set-up etc and need to be able to connect to FireStore via regular old C# desktop app. So I followed the quick start guide, Nuget'ed Google.Cloud.Firestore, set the environment variable and no matter how I try the code I get "PERMISSION_DENIED: Missing or insufficient permissions."

Some details, I am using a service account set with Project Owner permissions and have not changed the default access rules yet. I know the environment variable is set-up correctly and the file is found. All packages are most recent. Frustrating that my iOS/Android apps are working, but this is not, I expected more issues with the mobile apps. As I am still exploring all this is just in a unit test so I can execute and change the code pretty quickly.

Help would be really appreciated before I start banging my head on the desk :-)

[TestClass]
public class UnitTest1
{
    [TestMethod]
    public void TestMethod1()
    {
        Task<string> task = Task.Run<string>(async () => await GetUserName());
        var x = task.Result;
        return ;

    }

    private async Task<string> GetUserName()
    {
        string projectId = "matchesJson";
        FirestoreDb db = FirestoreDb.Create(projectId);
        string retVal = "";

        try
        {
            CollectionReference col = db.Collection("users");
            // Exception thrown on next line
            QuerySnapshot snapshot = await col.GetSnapshotAsync();
            // get some data
            retVal = "";
        }
        catch (Exception e)
        {
            retVal =  e.Message;
        }
        return retVal;
    }

}

---- EDIT ADDING RULE ------- -- Today is March 3nd 2020 --

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // This rule allows anyone on the internet to view, edit, and delete
    // all data in your Firestore database. It is useful for getting
    // started, but it is configured to expire after 30 days because it
    // leaves your app open to attackers. At that time, all client
    // requests to your Firestore database will be denied.
    //
    // Make sure to write security rules for your app before that time, or else
    // your app will lose access to your Firestore database
    match /{document=**} {
      allow read, write: if request.time < timestamp.date(2020, 3, 28);
    }
  }
}

Answer 1

I found the issue. It is not very clear in the documentation, but when using a service account you need to add the permission to the account separately. This can be done in the google console by searching for the identity and applying the correct permission. For now I granted 'project owner' just for this POC, but there is probably a more granular permission.

Thanks for reading and thanks for the comments 'ralemos'.

Answer 2

As you can check on this documentation, you can see that the default rules are to do not allow anyone read/write access and since you said that you did not change them, this is probably what is causing the issue.

You security rules should now be set to something similar to this:

match /databases/{database}/documents {
  match /{document=**} {
    allow read, write: if false;
  }
}

You have to change the allow part to the following to get access:

allow read, write: if true;

This will allow everyone to access it, if you want to segregate access you will have to figure out what are the conditions to give access according to your app's needs and the documentation mentioned previously should be of help by then too.

Let me know if this works.