We are looking to store some NOSQL data and have some specific permission requirements. We want to have 2 type of interactions with Cloud Datastore: 1. Via API 2. Via Developer Console
Via api, we want to create/upload objects but api should not be able to read/search the entities. So api should have write only permissions.
Via console, we want our support team to read/download objects, but do not let them edit/upload objects.
We are able to figure out that its possible to just give read only access to team members, so they will be able to just read/retrieve objects from console but the problem which we are facing is how to block read access via API. Is there any way to control access for Google Cloud Datastore api or any work around to solve this problem?
Cloud Datastore does not currently support write-only permissions.
As you've noted, you can assign read-only permissions by assigning team members the "Can view" role instead of the "Can edit" or "Owner" role.