ReTool doesn't connect to firestore

I just wanted to verify that retool does not currently connect with firestore?
I have been trying for days now, and it does not work. I have connected many other things before, from other services, and create many GCP service accounts but it does not work at all.

Everytime I paste in my service account JSON and connect it says:


Test connection failed (0.843s):Missing or insufficient permissions.

  1. :arrow_forward:{query: "getCollectionsFirestore", error: Object}
  2. query: "getCollectionsFirestore"
  3. :arrow_forward:error: Object
    1. message: "Missing or insufficient permissions."

I have made it so the firebase rules will not restrict anything.
I have added the firewall rules.
I have added all the service account IAM roles, including owner to bypass anything. They include:

"Cloud Datastore Owner, Editor, Firebase Authentication Admin, Firebase Rules Firestore Service Agent, Firebase Rules Viewer, Firestore Service Agent, Owner"

I have even tested the service account JSON locally and it works fine. This seems to be a retool limitation. I am at a loss here and really wanted to use retool, but I guess that is just not possible now unfortunately. Are there plans to connect to firestore in the future?

Just to update on this... I used the exact same service account key in jetadmin.io and it worked instantly with no issues at all. This is definitely a retool issue, and it is very disappointing since I wasted so much time on this (many hours over multiple days). Horrible documentation, no support, poor product. I do like the template better, that is why I wanted to use retool, but unless I am the "tool" here and not retool, and I missed something simple, I probably won't be back. Sad because retool is what I did want to use.

Hi @steve0k, welcome to the forum! :wave:

We haven't found any issues with our Firebase API connector. I'm able to query my own Firestore database right now:

However, on your end, you have highly permissive access configuration. In order to find the root cause of this issue, please expand on the following:

  • How is that you are connected to Firebase?
  • Did you use Retool's built-in API connector?
  • How is this connection similar/different from the one you set up on jetadmin (screenshots would be great)?

One more thing, please add all the I AM Roles you set up.

For context, when Retool connects to Firebase, it connects to the following service types by default:

Maybe we are missing roles for one of more.

I use the exact same service account key, which works instantly in jetadmin.
Maybe I am using some outdated version of retool? I don't see what you see when I try and connect, there is no dropdown for Firestore. I leave the realtime database blank since I don't use that. (I left the service key blank but I usually paste it in there obviously).

These are my service account roles, it lets me read and write in jetadmin:

1 Like

Are you on Cloud or Self-hosted Retool? If Self-hosted, what version?

What I shared shows up when creating a new query once the connection is successful. Because Retool supports those three service types, I suspect it requires roles for all of them.

Let's make sure we include all of the following scopes:
Firestore API: roles/datastore.user, roles/firestore.serviceAgent
Realtime Database: roles/firebase.databaseAdmin, roles/firebase.admin
Firebase Auth: roles/firebaseauth.admin

1 Like

I'm experiencing exactly the same issue, and I've confirmed how Retool responds to user reports on this matter. Like that employee, I currently have a working Firebase configuration, but no matter how perfectly I replicate the IAM and Permission settings from the existing project for a new Firebase project, I cannot get past the "missing or insufficient permissions" error. I even tried the ridiculous solution of giving Firestore full read and write permissions at all times, but it still doesn't work. I fully understand how to connect Firebase projects to Retool and how to configure service accounts, but it simply isn't working right now. Fix this issue. Paulo.

1 Like

Hi @Yongjin_Kim, welcome to the forum. :wave:

Here are the steps I took to connect to a new project using a new service account:

Project and Database:

  1. Create a new project on Firebase (called mine second project).
  2. Set up Cloud Firestore.
  3. Create a database.
  4. Start a new collection.

Service account:

  1. In the Console, go to the project and create a service account:

  2. Give it a name and desired permissions:


  3. Select the service, then go to Keys and create a new key (type JSON):

  4. Download the JSON:

Create the Resource in Retool:

  1. Select Firebase as the resource type:
  2. Name it and paste the downloaded Service account key.
  3. Click Create resource.

Testing from an App:

Could you expand on the details of your configuration?

1 Like

Thanks for the detailed explanation, Paulo. I actually identified the root cause of this issue a few days ago. It's not about permissions or anything like that; the problem occurs when an existing Firebase Resource is duplicated. When you duplicate an existing Firebase Resource, no matter what service account key you change it to, it will only work with the original service account key (or other service account keys for the original firebase db), otherwise, it will throw a "missing permission" error. This means that a Retool Firebase resource, once created, becomes fixed to a specific database URL. And you guys don't mention that anywhere in your UIs and documentation. This is definitely a problem that needs to be fixed. Either duplicating should be disabled, or when a resource is duplicated, there should be a clear indication that the resource entry is fixed to a specific Firebase project. As you mentioned, if you create a new resource instead of duplicating, this issue doesn’t occur and everything works smoothly.

1 Like

Thanks for sharing your findings! After a few tests, I'm experiencing something very similar to what you describe.

  • If I create a new key for the same Service Account used in the original resource, I can connect without issues.
  • If I create a new Service Account and a key for that account, I run into the error described above:
  • If I create a new Resource and use the newly created Service Account and key, I can also connect successfully.

I'm not an expert in Firebase authentication, so I might be overlooking something. However, the fact that the third bullet point works while the second one doesn’t makes me think that there is, in fact, an issue with a cloned resource.

I created a new resource and clone for the internal bug report, and I noticed that although it couldn't connect to the resource initially, it did after a few minutes. Could you try again on your end? I wonder if it just takes a while for Retool to recognize the new Service Account.

My original Resource also connects with the existing configuration (second bullet point above):

I'm having similar issues but with having a 2nd staging environment on a firebase resource.

This staging environment should point to our staging firebase project and therefore use our firebase key but we get "missing or insufficient permissions".

The same firebase key works when creating a new resource.

Hi @lucashh, welcome to the forum, and thank you for sharing your experience!
Is the issue persisting after a few minutes?

Hi, it's been 24 hours and it still does not work.

Thank you for checking. I'll try reproducing again on my end.

@steve0k, did creating a new Resource work for you as well?

While we further investigate and fix this issue of duplicating a Firebase Resource, I would love to know if this workaround is unblocking all of us.

Here is my repro attempt:

I have two Firebase projects: first-project (prod) and second-project (staging).

  1. I have an existing working Resource named test for first-project.
  2. I cloned the test Resource and changed the service account key for one I have for second-project. I named this duplicate Resource test-2.
  3. I tested the connection of test-2, and it was successful:
    Screenshot 2025-01-08 at 10.45.24 AM
  4. Checked the original Resource just in case and it's also successful:
  5. Screenshot 2025-01-08 at 10.45.45 AM
  6. I queried the Firestore db using test-2 with no issues:

Is the same flow leading to the error on your end?

In your example, I can also sucessfully query "second-project" in "test-2" (aka a new firebase resource).

What I am saying is the "test" resource, which points to "first-project" in the production environment and works, but pointing the staging environment in the same resource to "test-2" doesn't work and produces the error:

Sorry for the confusion and thank you for clarifying. Are you experiencing this on Cloud or a Self-hosted instance?

It's working for me on Cloud. In the Firestore DB of first-project I only have a users collection:

While in the DB of the second-project I only have a customers collection:

After adding the service account key for the staging env on the test resource (using second-project's credentials):

I can query the DB in production (first-project), and the dropdown only shows the collection that exists in that project:

When I change the environment to staging, I'm able to query the DB of second-project, and the dropdown only shows the collection for the associated DB: