Your Data Connect projects consist of two major infrastructure elements:
- One or more Data Connect service instances
- One or more Cloud SQL for PostgreSQL instances
This guide discusses how to set up and manage your Data Connect service instances, and introduces how to manage your associated Cloud SQL instances.
Configure regions for Firebase Data Connect
Projects that use Data Connect require a location setting.
When you create a new Data Connect service instance, you're prompted to select the location of the service.
Available locations
Data Connect services can be created in the following regions.
- asia-east1
- asia-east2
- asia-northeast1
- asia-northeast2
- asia-northeast3
- asia-south1
- asia-southeast1
- asia-southeast2
- australia-southeast1
- australia-southeast2
- europe-central2
- europe-north1
- europe-southwest1
- europe-west1
- europe-west2
- europe-west3
- europe-west4
- europe-west6
- europe-west8
- europe-west9
- me-west1
- northamerica-northeast1
- northamerica-northeast2
- southamerica-east1
- southamerica-west1
- us-central1
- us-east1
- us-east4
- us-south1
- us-west1
- us-west2
- us-west3
- us-west4
Manage Data Connect service instances
Create services
To create a new service, use the Firebase console or run the local project initialization using the Firebase CLI. These workflows create a new Data Connect service.
These flows also guide you through:
- Provisioning a new Cloud SQL instance (no-cost tier)
- Linking an existing Cloud SQL instance to Data Connect (Blaze plan)
Manage users
Data Connect provides tools to manage user access that follow the the principle of least privilege (grant each user or service account the minimum necessary permissions to support needed functionality) and the notion of role-based access control (RBAC) (with predefined roles to manage database permissions, simplifying security management).
To add project members as users who can modify Data Connect instances in your project, use the Firebase console to select appropriate predefined user roles.
These roles grant permissions using Identity and Access Management (IAM). A role is a collection of permissions. When you assign a role to a project member, you grant that project member all the permissions that the role contains. See more information in:
- The overview of Firebase IAM roles
- The detailed list of Data Connect roles
Choose roles to enable specific workflows
IAM roles enable Firebase CLI workflows to let you manage your Data Connect projects.
CLI command, other workflow | Role(s) required |
---|---|
firebase init dataconnect
|
|
firebase deploy -–only dataconnect
|
|
firebase dataconnect:sql:diff
|
|
firebase dataconnect:sql:migrate
|
|
firebase dataconnect:sql:grant
|
|
Monitor Data Connect service performance
Understand service performance
The performance of both the Data Connect service and the Cloud SQL for PostgreSQL service can affect your experience during preview.
- For the Data Connect service, there is a limit of 1200 GraphQL and connector requests per minute, affecting the rate at which you can call and execute queries and mutations.
- For the Cloud SQL for PostgreSQL service, refer to general guidance in the Quotas and limits documentation.
Monitor service performance, usage and billing
You can monitor requests, errors and operation rates, both globally and per operation in the Firebase console.
Manage Cloud SQL instances
Free trial limitations
The following Cloud SQL for PostgreSQL features are not supported in the free trial:
- PostgreSQL versions other than 15.x
- Use of existing Cloud SQL for PostgreSQL instances
- Different machine tier than db-f1-micro
- Changing resources of your instance, such as storage, memory, CPU
- Read replicas
- Private instance IP address
- High-availability (multi-zone); only single-zone instances are supported
- Enterprise Plus edition
- Automatic backups
- Automatic storage increase.
Administer Cloud SQL instances
In general, you can manage your Cloud SQL instances using the Google Cloud console to perform the following workflows.
- Stop and restart Cloud SQL instances
- Create and delete Cloud SQL databases (within instances)
- Start PostgreSQL database instances with flags and use a variety of extensions
- Monitor performance with Cloud SQL observability features in the Google Cloud console
- Manage Cloud SQL access and security with features like IAM, secret manager, data encryption and auth proxy
- Add, delete and administer Cloud SQL users.
For these and other workflows, refer to the Cloud SQL for PostgreSQL documentation.
Grant PostgreSQL user roles using the Firebase CLI and Google Cloud tools
Data Connect provides tools to manage user access that follow the the principle of least privilege (grant each user or service account the minimum necessary permissions to support needed functionality) and the notion of role-based access control (RBAC) (with predefined roles to manage database permissions, simplifying security management).
In some cases, you might want to connect to the Data Connect-managed Cloud SQL database directly via a SQL client of your choice using, for example, Cloud Run, Cloud Functions or GKE.
To enable such connections, you need to grant SQL permissions by:
- Assigning the
roles/cloudsql.client
IAM role to the user or service account that needs to connect to the instance, either from the Google Cloud console or using the gcloud CLI - Granting the necessary PostgreSQL role using the Firebase CLI
Assign the Cloud SQL IAM role
For information on working with Cloud SQL for PostgreSQL to assign IAM
role roles/cloudsql.client
, see Roles and permissions.
Grant PostgreSQL roles
Using the Firebase CLI, you can grant predefined PostgreSQL roles to users
or service accounts associated with your project with the
firebase dataconnect:sql:grant
command.
For example, to grant the writer role, run this command at the CLI:
firebase dataconnect:sql:grant --role writer
For details, refer to the CLI reference guide.