Summary
I migrated my Firestore resource from the default database (default) to a named database replica. The same service account is used — its access to (default) was revoked, and it has full read/write on replica. GUI mode queries work correctly against replica, but Raw mode throws a PERMISSION_DENIED error.
Error
Error: 7 PERMISSION_DENIED: Missing or insufficient permissions.
What I did
- Updated the Firebase resource in Retool to point to
replicainstead of(default). - Revoked the service account's access to
(default). - Confirmed the service account has read/write access to
replicavia Firebase Console. - GUI mode queries return correct data from
replica. - Raw mode queries on the same resource fail with PERMISSION_DENIED.
What I also tried
- Created a brand new Retool resource explicitly configured for
replicawith the same service account — Raw mode still fails with the same error. - Confirmed the service account has
Cloud Datastore UserandFirebase Adminroles in GCP IAM.
My suspicion
Raw mode may be constructing the Firestore gRPC request using a hardcoded path to (default) rather than picking up the database ID from the resource config — since (default) is the standard database and Retool may not be passing the replica ID through in Raw mode the same way it does in GUI mode. This would explain why GUI works but Raw doesn't.
Environment
- Retool: Cloud (plumhq.retool.com)
- Resource type: Firebase Firestore
- Mode affected: Raw mode only
Question
Does Raw mode require the database ID (replica) to be specified explicitly in the request path, e.g. projects/{project}/databases/replica/documents/...? Or is this a bug where Raw mode ignores the database set in the resource config and always falls back to (default)?
Any help appreciated.