Joshua Fox Joshua Fox - 1 month ago 28
Java Question

What service account does Flexible Environment use to access Datastore in another project?

Running in Flexible Environment in one project, I want to write to another project using com.google.cloud.datastore.Datastore.

Under what "service account" does code run in Flex Environment? What permissions are needed?

Code:

Datastore ds = DatastoreOptions.builder().projectId("projectB").build().service();
ds.put(entity);


Stacktrace when permissions are wrong.

com.google.cloud.datastore.DatastoreException: Missing or insufficient permissions.
at com.google.cloud.datastore.spi.DefaultDatastoreRpc.translate(DefaultDatastoreRpc.java:105)
at com.google.cloud.datastore.spi.DefaultDatastoreRpc.commit(DefaultDatastoreRpc.java:133)
at com.google.cloud.datastore.DatastoreImpl$4.call(DatastoreImpl.java:390)
at com.google.cloud.datastore.DatastoreImpl$4.call(DatastoreImpl.java:387)
at com.google.cloud.RetryHelper.doRetry(RetryHelper.java:179)
at com.google.cloud.RetryHelper.runWithRetries(RetryHelper.java:244)
at com.google.cloud.datastore.DatastoreImpl.commit(DatastoreImpl.java:386)
at com.google.cloud.datastore.DatastoreImpl.commitMutation(DatastoreImpl.java:380)
at com.google.cloud.datastore.DatastoreImpl.put(DatastoreImpl.java:340)

Answer

The answer is: Datastore owner permissions to

<source-project-name>@appspot.gserviceaccount.com

Note that that's the human-readable project name, not the numerical ID, as found in other service accounts on the pattern of 999999999999@developer.gserviceaccount.com and the like.