I just wanted to verify that retool does not currently connect with firestore?
I have been trying for days now, and it does not work. I have connected many other things before, from other services, and create many GCP service accounts but it does not work at all.
Everytime I paste in my service account JSON and connect it says:
Test connection failed (0.843s):Missing or insufficient permissions.
{query: "getCollectionsFirestore", error: Object}
query: "getCollectionsFirestore"
error: Object
1. message: "Missing or insufficient permissions."
I have made it so the firebase rules will not restrict anything.
I have added the firewall rules.
I have added all the service account IAM roles, including owner to bypass anything. They include:
"Cloud Datastore Owner, Editor, Firebase Authentication Admin, Firebase Rules Firestore Service Agent, Firebase Rules Viewer, Firestore Service Agent, Owner"
I have even tested the service account JSON locally and it works fine. This seems to be a retool limitation. I am at a loss here and really wanted to use retool, but I guess that is just not possible now unfortunately. Are there plans to connect to firestore in the future?
Just to update on this... I used the exact same service account key in jetadmin.io and it worked instantly with no issues at all. This is definitely a retool issue, and it is very disappointing since I wasted so much time on this (many hours over multiple days). Horrible documentation, no support, poor product. I do like the template better, that is why I wanted to use retool, but unless I am the "tool" here and not retool, and I missed something simple, I probably won't be back. Sad because retool is what I did want to use.
I use the exact same service account key, which works instantly in jetadmin.
Maybe I am using some outdated version of retool? I don't see what you see when I try and connect, there is no dropdown for Firestore. I leave the realtime database blank since I don't use that. (I left the service key blank but I usually paste it in there obviously).
Are you on Cloud or Self-hosted Retool? If Self-hosted, what version?
What I shared shows up when creating a new query once the connection is successful. Because Retool supports those three service types, I suspect it requires roles for all of them.
Let's make sure we include all of the following scopes:
Firestore API: roles/datastore.user, roles/firestore.serviceAgent
Realtime Database: roles/firebase.databaseAdmin, roles/firebase.admin
Firebase Auth: roles/firebaseauth.admin
I'm experiencing exactly the same issue, and I've confirmed how Retool responds to user reports on this matter. Like that employee, I currently have a working Firebase configuration, but no matter how perfectly I replicate the IAM and Permission settings from the existing project for a new Firebase project, I cannot get past the "missing or insufficient permissions" error. I even tried the ridiculous solution of giving Firestore full read and write permissions at all times, but it still doesn't work. I fully understand how to connect Firebase projects to Retool and how to configure service accounts, but it simply isn't working right now. Fix this issue. Paulo.
Thanks for the detailed explanation, Paulo. I actually identified the root cause of this issue a few days ago. It's not about permissions or anything like that; the problem occurs when an existing Firebase Resource is duplicated. When you duplicate an existing Firebase Resource, no matter what service account key you change it to, it will only work with the original service account key (or other service account keys for the original firebase db), otherwise, it will throw a "missing permission" error. This means that a Retool Firebase resource, once created, becomes fixed to a specific database URL. And you guys don't mention that anywhere in your UIs and documentation. This is definitely a problem that needs to be fixed. Either duplicating should be disabled, or when a resource is duplicated, there should be a clear indication that the resource entry is fixed to a specific Firebase project. As you mentioned, if you create a new resource instead of duplicating, this issue doesn’t occur and everything works smoothly.
If I create a new Resource and use the newly created Service Account and key, I can also connect successfully.
I'm not an expert in Firebase authentication, so I might be overlooking something. However, the fact that the third bullet point works while the second one doesn’t makes me think that there is, in fact, an issue with a cloned resource.
I created a new resource and clone for the internal bug report, and I noticed that although it couldn't connect to the resource initially, it did after a few minutes. Could you try again on your end? I wonder if it just takes a while for Retool to recognize the new Service Account.
My original Resource also connects with the existing configuration (second bullet point above):
I'm having similar issues but with having a 2nd staging environment on a firebase resource.
This staging environment should point to our staging firebase project and therefore use our firebase key but we get "missing or insufficient permissions".
The same firebase key works when creating a new resource.
In your example, I can also sucessfully query "second-project" in "test-2" (aka a new firebase resource).
What I am saying is the "test" resource, which points to "first-project" in the production environment and works, but pointing the staging environment in the same resource to "test-2" doesn't work and produces the error:
When I change the environment to staging, I'm able to query the DB of second-project, and the dropdown only shows the collection for the associated DB: