0

I'm trying to use Google Firestore Library https://firebase.google.com/docs/firestore to insert a document in to a collection.

$id = 123;
$data = ['message' => 123];
$db = new FirestoreClient([
    'projectId' => 'myProject'
]);
$db->collection('messages')->document($id)->create($data);

But I get this error:

Google\Cloud\Core\Exception\ServiceException: { "message": "Missing or insufficient permissions.", "code": 7, "status": "PERMISSION_DENIED"

The reason was that I've setup Security rules which checks for authentication. I know how to create the token but I could not find any documentation related to passing those custom tokens in headers of the Google Firebase Client.

Ask17
  • 72
  • 8
  • It looks like you don't have permission to read messages. You are getting the error is because you are not allowed to access documents of the collection called messages. In order to fix this, you have to login to your firebase console . Navigate to Database > Under firestore database, you have to click on Rules. [See](https://firebase.google.com/docs/firestore/security/get-started#allow-all). The simplest (but least locked down) version is in the ALLOW ALL box of the second example on that page. Hope this helps! – Priyashree Bhadra Nov 28 '21 at 13:18
  • Thanks, I know the reason and I've explained that in the question itself, what I want is to authenticate using the FirestoreClient PHP sdk. – Ask17 Nov 28 '21 at 13:38
  • Are your firestore rules set properly as [this](https://firebase.google.com/docs/firestore/security/get-started#allow-all)? – Priyashree Bhadra Nov 28 '21 at 15:59
  • They've explained: // Allow read/write access to all users under any conditions // Warning: **NEVER** use this rule set in production; it allows // anyone to overwrite your entire database. – Ask17 Nov 29 '21 at 06:51
  • Have a look at this [stackoverflow thread](https://stackoverflow.com/a/61106993/15803365) and let me know if it helps you. – Priyashree Bhadra Nov 29 '21 at 11:00

1 Answers1

0

Hellow,

I had the same issue while trying to authenticate with a service account credentials (those one should bypass the firestore rules if you gived them necesary permissions to performs certains actions, you can do this in the service account configuration).

To solve this issue I change the way that I was specifiying the key file path:

This way was given me exactly the above error, specifying the key file path with global variable GOOGLE_APPLICATION_CREDENTIALS just as Google quicstart documentation recommend you.

    // 
    use Google\Cloud\Firestore\FirestoreClient;

        
    /**
    * Initialize Cloud Firestore with default project ID.
    */
    function setup_client_create(string $projectId = null)
    {
        // This was working fine till I change my firestore rules
        // to a more secure configuration
        $_SERVER["GOOGLE_APPLICATION_CREDENTIALS"] = "/path/to/your/keyfile.json";
            
            
        // Create the Cloud Firestore client
        if (empty($projectId)) {
            // The `projectId` parameter is optional and represents which project the
            // client will act on behalf of. If not supplied, the client falls back to
            // the default project inferred from the environment.
            $db = new FirestoreClient();
            printf('Created Cloud Firestore client with default project ID.' . PHP_EOL);
        } else {
            $db = new FirestoreClient([
                'projectId' => $projectId
            ]);
            printf('Created Cloud Firestore client with project ID: %s' . PHP_EOL, $projectId);
        }
    }

Then I try with this other way which allow me go through firestore rules. In their repository you can see that FirestoreClient constructor have a configuration array as a parameter, in this configuration array you can use the key "keyFilePath" to specify the path to your service account key file. It's just the same thing that global variable GOOGLE_APPLICATION_CREDENTIALS was doing.

    use Google\Cloud\Firestore\FirestoreClient;

    /**
    * Initialize Cloud Firestore with default project ID.
    */
    function setup_client_create(string $projectId = null)
    {
        // Create the Cloud Firestore client
        if (empty($projectId)) {
            // The `projectId` parameter is optional and represents which project the
            // client will act on behalf of. If not supplied, the client falls back to
            // the default project inferred from the environment.
            $db = new FirestoreClient();
            printf('Created Cloud Firestore client with default project ID.' . PHP_EOL);
        } else {

            // I specified the key file path in the configuration array of
            // FirestoreClient constructor
            // Doing it this way worked nice for me and 
            // my requests started going through firestore rules

            $db = new FirestoreClient([
                'keyFilePath' => '/path/to/your/keyfile.json'
                'projectId' => $projectId,
            ]);
            printf('Created Cloud Firestore client with project ID: %s' . PHP_EOL, $projectId);
        }
    }

I hope it helps you and everyone having the same issue.

GaelCodes
  • 21
  • 3