Create and manage databases (original) (raw)

This page describes how to create, update, and delete Firestore databases. You can create multiple Firestore databases per project. You can use multiple databases to set up production and testing environments, to isolate customer data, and for data regionalization.

Required roles and permissions

To create and manage databases, you'll need the following Identity and Access Management role:

• Cloud Datastore Owner(roles/datastore.owner)

That role grants the following permissions that you need to create and manage databases:

• Create a database: datastore.databases.create
• Read database configuration: datastore.databases.getMetadata
• Configure a database: datastore.databases.update
• Delete a database: datastore.databases.delete
• Clone a database: datastore.databases.clone

Create a database

To create a database, use one of the following methods:

Console

1. In the Google Cloud console, go to the Databases page.
   Go to Databases
2. Click Create a Firestore database.
3. Enter a database ID.
4. Select a Firestore edition. See theeditions overviewto learn more about each edition.
5. Select a data access mode. The data access mode configures which API and which client libraries you can use with your database.
6. If you select Firestore in Native mode:
   • Configure your initial security rules. Select Restrictive if you don't plan to use the Firebase mobile and web SDKs.
   • If you selected Enterprise edition, enable or disable real-time updates for your database.
7. Select a location.
8. (Optional) If you need Customer-managed encryption keys (CMEK), expand and configure the encryption options.
9. Click Create Database.

gcloud

Use thegcloud firestore databases createcommand.

• To create a Firestore Enterprise edition database in Native mode:
  gcloud firestore databases create \
  --database=DATABASE_ID \
  --location=LOCATION \
  --edition=enterprise \
  --enable-firestore-data-access \
  --no-enable-mongodb-compatible-data-access \
  --enable-realtime-updates
  Replace the following:
  • DATABASE_ID: a valid database ID.
  • LOCATION: the name of a Firestore multi-region or region.
• To create a Firestore Standard edition database:
  gcloud firestore databases create \
  --database=DATABASE_ID \
  --location=LOCATION \
  --edition=standard
  --type=DATABASE_TYPE
  Replace the following:
  • DATABASE_ID: a valid database ID.
  • LOCATION: the name of a Firestore multi-region or region.
  • DATABASE_TYPE: either firestore-native for Native mode ordatastore-mode for Datastore mode.

--delete-protection is an optional flag to enable deletion protection. You cannot delete a database with deletion protection enabled until you disable this setting. This setting is disabled by default.

To add tagsto the database, use the--tagsflag. For example:

• --tags=123/environment=production,123/costCenter=marketing
• --tags=tagKeys/333=tagValues/444

Firebase CLI

firebase firestore:databases:create DATABASE_ID \n--location=LOCATION \n[--edition EDITION] \n[--firestore-data-access FIRESTORE_ACCESS] \n[--realtime-updates REALTIME_UPDATES] \n[--delete-protection DELETE_PROTECTION_ENABLEMENT]

Replace the following:

• DATABASE_ID: a valid database ID.
• LOCATION: the name of a Firestore multi-region or region.
• EDITION: For Enterprise features, set to enterprise.
• FIRESTORE_ACCESS: (Enterprise only) ENABLED or DISABLED.
• REALTIME_UPDATES: (Enterprise only) ENABLED or DISABLED.
• DELETE_PROTECTION_ENABLEMENT: Either ENABLED or DISABLED.

Terraform

resource "google_firestore_database" "database" { project = "project-id" name = DATABASE_ID location_id = LOCATION type = DATABASE_TYPE

// Optional delete_protection_state = DELETE_PROTECTION_STATE }

Replace the following:

• DATABASE_ID: a valid database ID.
• LOCATION: the name of aFirestore multi-region or region.
• DATABASE_TYPE: either FIRESTORE_NATIVE for Native mode orDATASTORE_MODE for Datastore mode.
• DELETE_PROTECTION_ENABLEMENT: EitherDELETE_PROTECTION_ENABLED or DELETE_PROTECTION_DISABLED.

delete_protection_state is an optional argument to enable deletion protection. You cannot delete a database with deletion protection enabled until you disable this setting. This setting is disabled by default.

Database ID

A valid database Id must conform to these rules:

• Only include letters, numbers, and hyphen (-) characters.
• Letters must be lowercase.
• The first character must be a letter.
• The last character must be a letter or number.
• Minimum of 4 characters.
• Maximum of 63 characters.
• Must not be a UUID or resemble a UUID. For example, don't use an ID likef47ac10b-58cc-0372-8567-0e02b2c3d479.

There is one exception to these rules: Standard edition will create a database named (default) if you don't enter an ID yourself.

Note that after you delete a database, you can't re-use its ID for about 5 minutes.

Delete protection

Use delete protection to prevent accidental deletion of a database. You cannot delete a database with delete protection enabled until you disable delete protection. Delete protection is disabled by default. You can update the database configuration to enable or disable delete protection.

Set up Firestore Security Rules for your databases

Use the Firebase CLI to deploy Firestore Security Rules to each of your databases. Refer to the guide for managing and deploying Firestore Security Rules.

Access a named database with a client library

A named database includes any database not named (default). By default, the Firebase SDKs and Google API Client Libraries connect to the (default)Firestore database in a project. To create a client connected to a named database, set the database ID when you instantiate a client.

List databases

Use one of the following methods to list your databases:

Console

In the Google Cloud console, go to the Databases page.

Go to Databases

gcloud

Use thegcloud firestore databases listcommand to list all the databases in your project.

gcloud firestore databases list

Firebase CLI

Use the firebase firestore:databases:list command to list all the databases in your project.

firebase firestore:databases:list

View database details

To view details about a single database, use one of the following methods:

gcloud

Use the gcloud firestore databases describe command:

gcloud firestore databases describe --database=DATABASE_ID

Firebase CLI

Use the firebase firestore:databases:get command:

firebase firestore:databases:get DATABASE_ID

The output for an Enterprise database includes the following fields:

• Edition: ENTERPRISE
• Firestore Data Access: DATA_ACCESS_MODE_ENABLED or DATA_ACCESS_MODE_DISABLED
• MongoDB Compatible Data Access: DATA_ACCESS_MODE_ENABLED or DATA_ACCESS_MODE_DISABLED
• Realtime Updates: REALTIME_UPDATES_ENABLED or REALTIME_UPDATES_DISABLED

Replace DATABASE_ID with a database ID.

Update database configuration

To update the configurations settings of a database, use the gcloud firestore databases updatecommand. Use this command to change the database type or to toggle delete protection.

Change the database type

To update the type of a database, use the gcloud firestore databases updatecommand with the --type= flag. You can change the type only if the database is empty.

gcloud

gcloud firestore databases update --database=DATABASE_ID
--type=DATABASE_TYPE

Replace the following:

• DATABASE_ID: a database ID.
• DATABASE_TYPE: either firestore-native for Native mode or datastore-mode for Datastore mode.

Update the delete protection setting

To enable delete protection on a database, use the gcloud firestore databases update command with the --delete-protection flag. For example:

gcloud

gcloud firestore databases update --database=DATABASE_ID --delete-protection

Replace DATABASE_ID with a database ID.

To disable delete protection on a database, use the gcloud firestore databases update command with the --no-delete-protection flag. For example:

gcloud

gcloud firestore databases update --database=DATABASE_ID --no-delete-protection

Replace DATABASE_ID with a database ID.

Delete a database

To delete a database, use the console or command-line tool.

If the database has the delete protection setting enabled, you must firstdisable delete protection.

If the database contains App Engine search data orblob entities, you must delete that data first.

Deleting a database does not automatically delete any Eventarc triggers for that database. The trigger stops delivering events but continues to exist until you delete the trigger.

Deleting a database does not incur charges for delete operations.

Console

1. In the Google Cloud console, go to the Databases page.
   Go to Databases
2. Click View more in the table row for the database you want to delete. Click Delete. A dialog appears.
3. In the Delete database? dialog, confirm deletion by typing the database ID in the text field. Click Delete. The console informs you of operation success or failure.
   If the operation fails,view the database details and verify that delete protection is disabled. To disable delete protection, seeUpdate the delete protection setting.

gcloud

Use the`gcloud firestore databases delete` command.

gcloud firestore databases delete --database=DATABASE_ID

Replace DATABASE_ID with the ID of the database to delete. To delete the default database use the ID '(default)'

Clone a database

You can clone an existing database at a selected timestamp into a new database:

• The cloned database is a new database that will be created in the same location as the source database.
  To make a clone, Firestore uses point-in-time recovery (PITR) data of the source database. The cloned database includes all data and indexes.
• By default, the cloned database will be encrypted in the same way as the source database, using either Google's default encryption or CMEK encryption. You can specify a different encryption type or use a different key for CMEK encryption.
• The timestamp has a granularity of one minute and specifies a point of time in the past, in the period defined by the PITR window:
  • If PITR is enabled for your database, you select any minute in the last 7 days (or less if PITR was enabled less than 7 days ago).
  • If PITR isn't enabled, you can select any minute in the past hour.
  • You can check the earliest timestamp that you can pick in your database's description.

Console

1. In the Google Cloud console, go to the Databases page.

Go to Databases

1. Click View more in the table row for the database that you want to clone. Click Clone. TheCreate a clone dialog appears.
2. In the Create a clone dialog, provide parameters for cloning the database:
   1. In the Give the clone an ID field, a database IDfor a new cloned database. This database ID must not be associated with an existing database.
   2. In the Clone from field, select a point in time to use for cloning. The selected time corresponds to a PITR timestamp, at the minute granularity.
3. Click Create clone.

gcloud

Use the gcloud firestore databases clonecommand to clone a database:

gcloud firestore databases clone \
--source-database='SOURCE_DATABASE' \
--snapshot-time='PITR_TIMESTAMP' \
--destination-database='DESTINATION_DATABASE_ID'

Replace the following:

• SOURCE_DATABASE: the database name of an existing database that you want to clone. The name uses the formatprojects/PROJECT_ID/databases/SOURCE_DATABASE_ID.
• PITR_TIMESTAMP: a PITR timestamp in the RFC 3339 format, at minute granularity. For example: 2025-06-01T10:20:00.00Z or2025-06-01T10:30:00.00-07:00.
• DESTINATION_DATABASE_ID: a database IDfor a new cloned database. This database ID must not be associated with an existing database.

Example:

gcloud firestore databases clone \
--source-database='projects/example-project/databases/(default)' \
--snapshot-time='2025-06-01T10:20:00.00Z' \
--destination-database='example-dest-db'

If you want to bind to some tags while cloning a database, use the previous command with the --tags flag, which is an optional list of tags KEY=VALUE pairs to bind.

Example:

gcloud firestore databases clone \
--source-database='projects/example-project/databases/(default)' \
--snapshot-time='2025-06-01T10:20:00.00Z' \
--destination-database='example-dest-db'

By default, the cloned database will have the same encryption configuration as the source database. To change the encryption configuration, use the--encryption-type argument:

• (Default) use-source-encryption: use the same encryption configuration as the source database.
• google-default-encryption: use Google's default encryption.
• customer-managed-encryption: use CMEK encryption. Specify a key IDin the --kms-key-name argument.

The following example shows how to configure CMEK encryption for the cloned database:

gcloud firestore databases clone \
--source-database='projects/example-project/databases/(default)' \
--snapshot-time='2025-06-01T10:20:00.00Z' \
--destination-database='example-dest-db' \
--encryption-type='customer-managed-encryption' \
--kms-key-name='projects/example-project/locations/us-central1/keyRings/example-key-ring/cryptoKeys/example-key'

Configure per-database access permissions

You can use Identity and Access Management Conditions to configure access permissions on a per-database level. The following examples use the Google Cloud CLI to assign conditional access for one or more databases. You can also define IAM conditions in the Google Cloud console.

View existing IAM policies

gcloud projects get-iam-policy PROJECT_ID

Set PROJECT_ID to your project ID.

Grant access to a database

gcloud projects add-iam-policy-binding PROJECT_ID \
--member='user:EMAIL' \
--role='roles/datastore.user' \
--condition='expression=resource.name=="projects/PROJECT_ID/databases/DATABASE_ID",title=TITLE,description=DESCRIPTION'

Set the following:

• PROJECT_ID: your project ID
• EMAIL: an email address that represents a specific Google Account. For example, alice@example.com.
• DATABASE_ID: a database ID.
• TITLE: an optional title for the expression.
• DESCRIPTION: an optional description of the expression.

Grant access to all except one database

gcloud projects add-iam-policy-binding PROJECT_ID \
--member='user:EMAIL' \
--role='roles/datastore.user' \
--condition='expression=resource.name!="projects/PROJECT_ID/databases/DATABASE_ID",title=TITLE,description=DESCRIPTION'

Set the following:

• PROJECT_ID: your project ID
• EMAIL: an email address that represents a specific Google Account. For example, alice@example.com.
• DATABASE_ID: a database ID.
• TITLE: an optional title for the expression.
• DESCRIPTION: an optional description of the expression.

Remove policies for a given member and role

gcloud projects remove-iam-policy-binding PROJECT_ID \
--member='user:EMAIL' \
--role='roles/datastore.user' --all

Set the following:

• PROJECT_ID: your project ID
• EMAIL: an email address that represents a specific Google Account. For example, alice@example.com.

Cloud Monitoring

Firestore metrics are reported under two monitored resources.

• firestore.googleapis.com/Database
• firestore_instance(Legacy)

You can inspect aggregate metrics at the database level by looking atfirestore.googleapis.com/Database. The metrics reported underfirestore_instance are aggregated at the project level.

Limitations

• You can have a maximum of 100 databases per project. You cancontact support to request an increase to this limit.
• You cannot delete your (default) database if it contains any GAE search data. Use the index delete apito delete GAE search data. If you recently deleted GAE Search data, there may be a waiting period before you are able to delete the database.
• You cannot delete your (default) database if it contains any blob entities. Use the Blobstore delete apito delete Blobstore data. You can check if your (default) database has Blobstore data by running the following GQL query in the Google Cloud console:SELECT * FROM __BlobInfo__.
• You cannot reuse a database ID until 5 minutes after the delete happens.
• Cloud Function v1 does not support Firestore Named databases. Use Cloud Firestore Triggers (2nd Gen) to configure events for named databases.
• Firestore function triggers v1 andFirestore event triggersmay stop working after the database is deleted, even if a new database is created with the same name.

What's next

• Add data
• Get data
• Delete data