Firebase Phenom Project GCloud Backup

Overview

This document provides the Standard Operating Procedure (SOP) for backing up the Firebase project data, specifically Firestore, to a Google Cloud Storage bucket. This ensures data durability and provides a point-in-time recovery option.

Prerequisites

1. Google Cloud SDK (gcloud): Ensure the gcloud command-line tool is installed and authenticated.

   • Installation Guide: https://cloud.google.com/sdk/docs/install
   • Authentication: Run gcloud auth login and gcloud auth application-default login.

2. Permissions: The user or service account performing the backup must have the following IAM roles in the Google Cloud project:

   • Cloud Datastore Import Export Admin
   • Storage Admin (or a role with write permissions to the target GCS bucket)

3. Project and Bucket Information:

   • GCP Project ID: phenom-s (Verify this is the correct project ID)
   • GCS Bucket: A dedicated bucket for backups should be used, e.g., gs://phenom-s-firestore-backups.

Manual Backup Procedure

Step 1: Set the GCP Project

Ensure all subsequent gcloud commands target the correct project.

gcloud config set project phenom-s

Step 2: Create a GCS Bucket (If it doesn’t exist)

It’s best practice to use a dedicated, regional bucket in the same location as your Firestore database.

# Example: Replace 'us-central1' with your Firestore database location
gcloud storage buckets create gs://phenom-s-firestore-backups --project=phenom-s --location=us-central1

Step 3: Perform the Firestore Export

This command exports all collections from Firestore to the specified GCS bucket. The output folder will be named with a timestamp.

gcloud firestore export gs://phenom-s-firestore-backups

You can also specify a folder name (prefix) for the backup:

gcloud firestore export gs://phenom-s-firestore-backups/backups/$(date +%Y-%m-%d-%H%M%S)

Step 4: Verify the Backup

1. Navigate to the Google Cloud Console -> Cloud Storage -> Buckets.
2. Select the phenom-s-firestore-backups bucket.
3. Verify that a new folder with a timestamp and .overall_export_metadata file exists, containing your Firestore data.

Automated Daily Backups (Recommended)

Automating backups is crucial for consistency. This is achieved using Cloud Scheduler and a service account.

Step 1: Create a Service Account

Create a dedicated service account for the backup job.

gcloud iam service-accounts create firestore-backup-sa \
    --display-name="Firestore Backup Service Account" \
    --project=phenom-s

Step 2: Grant Permissions to the Service Account

Grant the necessary roles to the new service account.

# Replace with your project ID and service account email
gcloud projects add-iam-policy-binding phenom-s \
    --member="serviceAccount:firestore-backup-sa@phenom-s.iam.gserviceaccount.com" \
    --role="roles/datastore.importExportAdmin"

gcloud projects add-iam-policy-binding phenom-s \
    --member="serviceAccount:firestore-backup-sa@phenom-s.iam.gserviceaccount.com" \
    --role="roles/storage.admin"

Step 3: Create a Cloud Scheduler Job

This job will trigger the Firestore export daily.

gcloud scheduler jobs create http firestore-backup-job \
    --schedule="0 2 * * *" \
    --uri="https://firestore.googleapis.com/v1/projects/phenom-s/databases/(default):exportDocuments" \
    --message-body='{"outputUriPrefix":"gs://phenom-s-firestore-backups/daily"}' \
    --oauth-service-account-email="firestore-backup-sa@phenom-s.iam.gserviceaccount.com" \
    --time-zone="America/New_York"

Job Breakdown:

• --schedule="0 2 * * *": Runs the job every day at 2:00 AM (in the specified time zone).
• --uri: The REST endpoint for the Firestore export operation.
• --message-body: Specifies the output GCS bucket and a prefix (daily).
• --oauth-service-account-email: The service account to authenticate the request.

Step 4: Verify the Scheduled Job

You can view and manage the job in the Google Cloud Console under “Cloud Scheduler”. Check the logs after the scheduled time to ensure it ran successfully.