Cloud Run (Firebase Functions Gen2) returns Firestore PERMISSION_DENIED despite roles/datastore.user on service account #3058
Description
I am running a backend for an Android app using Firebase Functions Gen2 (Cloud Run).
The backend exposes an HTTP endpoint and uses the Firebase Admin SDK to write to Firestore.
The endpoint is reachable and processes requests, but every Firestore write fails with:
PERMISSION_DENIED: Missing or insufficient permissions
This happens consistently and results in HTTP 500 responses.
Environment
Firebase Functions Gen2 (running on Cloud Run)
Firebase Admin SDK (Node.js)
Firestore (Native mode)
Android client calling the HTTP endpoint
No client-side Firestore access involved
Expected behavior
Firestore writes via Admin SDK should succeed when the runtime service account has the required IAM role.
Actual behavior
HTTP request reaches the Cloud Run service
Business logic executes
Firestore write fails with PERMISSION_DENIED
Error persists even after redeploying the service
What I have already verified
Firestore security rules are not the cause (Admin SDK is used)
IAM role roles/datastore.user has been granted to:
App Engine default service account
A dedicated custom service account
Service was redeployed after IAM changes
No hardcoded credentials or service account keys are used
Despite this, Firestore access is still denied.
Questions
Which service account is actually used at runtime by Firebase Functions Gen2 / Cloud Run?
Is the Compute Engine default service account used by default unless explicitly overridden?
Is it considered best practice to explicitly set a runtime service account for Cloud Run when using Firestore?
Are there known cases where the Admin SDK still fails with PERMISSION_DENIED due to IAM misconfiguration in Cloud Run Gen2?
Any clarification or guidance would be highly appreciated.