DEV Community


Discussion on: How to backup your Firestore data automatically

gblaquiere profile image
blaquiere guillaume

Thanks for this great idea!

However, I'm skeptical about security management:

  • The service account has to have owner role? It's not too much?
  • Why adding the other roles if the service account is owner?
  • This highly granted role is simply base64 encoded and let in "clear" in environment variable!

Why do not simply consider this:

  • Rely on Cloud Run identity and grant the sufficient role on it
  • If you really need an additional/external service account, you maybe can consider berglas. If your code is in Go or in Python, you can easily use it (I wrote the Python lib for reading secrets from bucket)
jlandure profile image
Julien Landuré Author

Hi Guillaume 👋

Thanks for your feedback. 👍
I invite you to report the error on the github of the project here.

For the service account and the ownerrole, I just followed the documentation here.
Perhaps we could use the Cloud Run service account.

This first tutorial on "how to backup your Firestore data" is described to show a simple usecase. I understand your advices on security management. Your idea to use KMS is interesting.

Thank you.

gblaquiere profile image
blaquiere guillaume

I created the issue #7 and the pull request #8

Security still can be higher, with private Cloud Run, and Cloud Scheduler with a service account identity and the role run.invoker granted on it for calling the Cloud Run.

Unrelated comment: I hope you enjoy your GDE Summit weekend!