I have a backend server with a postgresql db. I need to write to my firestore database when one of the mutations is triggered.
my backend server will be dockerized and run on Google Cloud run.
Upon reading the docs, my initial plan is to use the env GOOGLE_APPLICATION_CREDENTIALS to authorize my backend server. but on further reading on Google cloud run's docs, I came across this warning.
I'm wondering what is the usual/best approach in authorizing backend servers in these types of setups. Any help/suggestions would be much appreciated. thanks!
Google client libraries use an authentication mechanism where they either use the credentials file referenced in
GOOGLE_APPLICATION_CREDENTIALS, or make a request to the google metadata service to get the service identity of the calling resource.So you should be able to set the appropriate permission on the service account associated with that cloud run service, such as
datastore.user.You can see the service account associated with the service on the cloud run page. I don't recall the default service account- but I would generally recommend to create a service account for each cloud run service to keep permissions as narrow and specific as possible.