Google Cloud Firestore Connection

The Google Cloud Firestore connection integrates your Firestore databases with OpsTower, giving agents the ability to query documents, retrieve specific documents by path, and list collections. The connection supports filtering, ordering, and aggregation operations.

Prerequisites

You need a Google Cloud project with Firestore enabled (either Native mode or Datastore mode).

Credentials Required

To set up a Firestore connection, you need the following:

Service Account JSON — a JSON key file for a GCP service account with Firestore read access
GCP Project ID — the identifier for your Google Cloud project
Database ID (optional) — the Firestore database ID, defaults to (default)

How to Create a Service Account

Go to the Google Cloud Console.
Select your project from the project picker at the top of the page.
Navigate to IAM & Admin > Service Accounts in the left sidebar.
Click Create Service Account.
Enter a name for the service account (e.g., “opstower-firestore”) and an optional description.
Click Create and Continue.
On the Grant this service account access to project step, add the role Cloud Datastore Viewer (roles/datastore.viewer). This grants read-only access to Firestore data.
Click Continue, then Done.
Find your newly created service account in the list and click on it.
Go to the Keys tab.
Click Add Key > Create new key.
Select JSON as the key type and click Create.
The JSON key file will download automatically. Store it securely.

The JSON key file contains sensitive credentials. Do not commit it to version control or share it publicly.

How to Find Your GCP Project ID

In the Google Cloud Console, look at the project selector at the top of the page.
Your Project ID is displayed below the project name. It is typically a lowercase string with hyphens (e.g., my-project-123456).
You can also find it on the Dashboard page under Project info.

Note: The Project ID is different from the Project Name and the Project Number. Make sure you use the Project ID.

Database ID

The Database ID is optional and defaults to (default), which is the standard Firestore database in your project.

You only need to specify a Database ID if you are using the Firestore multi-database feature and want to connect to a named database other than the default. Named database IDs can be found in the Google Cloud Console under Firestore > Databases.

Setting Up the Connection in OpsTower

In OpsTower, navigate to Connections in the sidebar.
Click Add Connection and select Google Cloud Firestore.
Paste the contents of your Service Account JSON key file.
Enter your GCP Project ID.
Optionally, enter a Database ID if you are connecting to a non-default database.
Click Save to create the connection.

What Agents Can Do with Firestore

Once connected and enabled on an agent, the agent can:

Query documents in a collection with filters (equality, comparison, array membership, etc.)
Retrieve a specific document by its full path (e.g., users/abc123)
List all top-level collections in the database
Perform aggregation queries (count, sum, average) on document fields

All operations are read-only. Agents cannot create, update, or delete documents.

Troubleshooting

Authentication errors: Verify that the Service Account JSON is complete and correctly pasted. Ensure the service account has not been deleted or disabled.
Permission denied: Confirm that the service account has the Cloud Datastore Viewer role (roles/datastore.viewer). You can check this under IAM & Admin > IAM in the Google Cloud Console.
Project not found: Ensure the GCP Project ID is correct. Use the Project ID (not the Project Name or Project Number).
Database not found: If using a non-default database, verify the Database ID matches exactly. Check the database list under Firestore > Databases in the Google Cloud Console.
Empty results: Confirm that the collection you are querying exists and contains documents. Firestore collections are created implicitly when documents are added, so an empty collection will not appear in listings.