Running in Flexible Environment in one project, I want to write to another project using com.google.cloud.datastore.Datastore.
Under what "service account" does code run in Flex Environment? What permissions are needed?
Code:
Datastore ds = DatastoreOptions.builder().projectId("projectB").build().service();
ds.put(entity);
Stacktrace when permissions are wrong.
com.google.cloud.datastore.DatastoreException: Missing or insufficient permissions.
at com.google.cloud.datastore.spi.DefaultDatastoreRpc.translate(DefaultDatastoreRpc.java:105)
at com.google.cloud.datastore.spi.DefaultDatastoreRpc.commit(DefaultDatastoreRpc.java:133)
at com.google.cloud.datastore.DatastoreImpl$4.call(DatastoreImpl.java:390)
at com.google.cloud.datastore.DatastoreImpl$4.call(DatastoreImpl.java:387)
at com.google.cloud.RetryHelper.doRetry(RetryHelper.java:179)
at com.google.cloud.RetryHelper.runWithRetries(RetryHelper.java:244)
at com.google.cloud.datastore.DatastoreImpl.commit(DatastoreImpl.java:386)
at com.google.cloud.datastore.DatastoreImpl.commitMutation(DatastoreImpl.java:380)
at com.google.cloud.datastore.DatastoreImpl.put(DatastoreImpl.java:340)
The answer is: Datastore owner permissions to
<source-project-name>@appspot.gserviceaccount.com
Note that that's the human-readable-string project name, not the numerical ID, as found in other service accounts on the pattern of 999999999999@developer.gserviceaccount.com and the like.