Back to all videos

How to connect Cloud Run to NoSQL Firestore

By Google Cloud Tech

TechnologyAIBusiness
Share:

Cloud Run and Firestore Integration: A Step-by-Step Guide

Key Concepts:

  • Cloud Run: A fully managed serverless platform for deploying containerized applications.
  • Firestore: Google Cloud's NoSQL document database for automatic scaling, high performance, and ease of application development.
  • Service Account: A special type of Google Cloud account intended for non-human users (e.g., applications) to authenticate and access Google Cloud resources.
  • Principle of Least Privilege: Granting a service account only the minimum necessary permissions to perform its tasks.
  • Firebase Client Library: A set of tools and APIs that allow applications to interact with Firebase services, including Firestore.
  • Multi-Regional Database: A Firestore database that replicates data across multiple geographic regions for high availability and durability.

1. Setting up the Environment

  • The demo starts in the Cloud Shell Editor, showcasing a Python Flask application designed to interact with Firestore.
  • The Cloud Firestore API needs to be enabled. The presenter mentions it was previously enabled.
  • The Flask app features an input box for user data entry and a display area to show saved data retrieved from Firestore.

2. Connecting the Application to Firestore

  • Adding the Firebase Client Library: The firebase-admin library is added to the requirements.txt file. This library provides the necessary tools to interact with Firestore.
  • Referencing the Firestore Database: The code initializes a reference to the Firestore database using the Firebase Admin SDK.
  • Writing Data to Firestore: Code is added to write user-entered text to Firestore. The data is stored in a collection and document within the database.
  • Real-time Data Updates: The application displays the newly added data below the input box, demonstrating Firestore's real-time data synchronization capabilities.

3. Implementing the Principle of Least Privilege with Service Accounts

  • Creating a Service Account: A new service account named "firestore-sa" is created specifically for the Cloud Run service.
  • Assigning Permissions: The service account is granted the "Cloud Datastore User" role, which allows it to read and write data to Firestore.
  • Service Account Identifier: The email address of the service account is copied, as it serves as the unique identifier for the service account.
  • Rationale: Using a service account with limited permissions enhances security by restricting the Cloud Run service's access to only the necessary Firestore resources.

4. Deploying to Cloud Run

  • Using the gcloud run deploy Command: The gcloud run deploy command is used to deploy the application to Cloud Run.
    • gcloud run deploy: The base command for deploying to Cloud Run.
    • --service: Specifies the name of the service.
    • --source: Indicates the location of the source code.
    • --service-account: Specifies the email address of the service account to be used as the Cloud Run service's identity.
  • Region Selection: The user is prompted to select a region for the deployment.
  • Unauthenticated Invocations: The user is prompted to allow unauthenticated invocations to make the service publicly accessible.
  • Database Creation (If Necessary): If a default Firestore database hasn't been created, an error message with a link to create one will appear. The presenter's database is multi-regional.
  • Deployment Process: The deployment process involves building the container image, creating a new revision, and routing 100% of the traffic to the new revision.

5. Verification and Testing

  • Cloud Console Verification: The Cloud Console is used to verify that the Cloud Run service is using the correct service account as its identity. This is checked in the revisions tab under security.
  • Web Application Testing: The deployed web application is accessed, and data is entered into the input form.
  • Firestore Data Verification: The Firestore database in the Cloud Console is checked to confirm that the data entered through the web application has been successfully saved. The collection, document, and text are verified.

6. Key Takeaways and Conclusion

  • The video demonstrates how to connect a Cloud Run service to Firestore, Google Cloud's NoSQL database.
  • It emphasizes the importance of using service accounts with the principle of least privilege to secure access to Firestore.
  • The presenter mentions a codelab on uploading and serving images using Cloud Storage, Firestore, and Cloud Run.
  • The main takeaways are the ease of integrating Cloud Run with Firestore and the importance of secure access management using service accounts.

Chat with this Video

AI-Powered

Hi! I can answer questions about this video "How to connect Cloud Run to NoSQL Firestore". What would you like to know?

Chat is based on the transcript of this video and may not be 100% accurate.

Related Videos

Ready to summarize another video?

Summarize YouTube Video