Manage databases

This page describes how to create, update, and delete Cloud Firestore databases. You can create multiple Cloud Firestore databases per project. You can use multiple databases to set up production and testing environments, to isolate customer data, and for data regionalization.

The (default) database

If you don't specify a database, the Cloud Firestore client libraries and the Google Cloud CLI connect to the (default) database by default.

Required roles

To create and manage databases, you need the Owner or Datastore Owner Identity and Access Management role. These roles grant the required permissions.

Required permissions

To manage databases, you require the following permissions:

• Create a database: datastore.databases.create
• Read database configuration: datastore.databases.getMetadata
• Configure a database: datastore.databases.update
• Delete a database: datastore.databases.delete
• Clone a database: datastore.databases.clone

Create a database

To create a database, use one of the following methods:

gcloud firestore databases create \
--database=DATABASE_ID \
--location=LOCATION \
--type=DATABASE_TYPE \
[--delete-protection]

firebase firestore:databases:create DATABASE_ID \
--location=LOCATION \
[--delete-protection DELETE_PROTECTION_ENABLEMENT]

resource "google_firestore_database" "database" {
  project     = "project-id"
  name        = DATABASE_ID
  location_id = LOCATION
  type        = DATABASE_TYPE

  // Optional
  delete_protection_state = DELETE_PROTECTION_STATE
}

Database ID

Valid database IDs include (default) and IDs that conform to the following:

• Includes only letters, numbers, and hyphen (-) characters.
• Letters must be lowercase.
• The first character must be a letter.
• The last character must be a letter or number.
• Minimum of 4 characters.
• Maximum of 63 characters.
• Must not be a UUID or resemble a UUID. For example, don't use an ID like f47ac10b-58cc-0372-8567-0e02b2c3d479.

If you delete a database, you cannot immediately re-use the database ID until after 5 minutes.

Delete protection

Use delete protection to prevent accidental deletion of a database. You cannot delete a database with delete protection enabled until you disable delete protection. Delete protection is disabled by default. You can enable delete protection when you create the database or you can update a database configuration to enable delete protection.

Set up Cloud Firestore Security Rules for your databases

Use the Firebase CLI to deploy Cloud Firestore Security Rules to each of your databases. Refer to the guide for managing and deploying Cloud Firestore Security Rules.

Access a named database with a client library

A named database includes any database not named (default). By default, the Firebase SDKs and Google API Client Libraries connect to the (default) Cloud Firestore database in a project. To create a client connected to a named database, set the database ID when you instantiate a client.

List databases

Use one of the following methods to list your databases:

gcloud firestore databases list

firebase firestore:databases:list

View database details

To view details about a single database, use one of the following methods:

gcloud firestore databases describe --database=DATABASE_ID

firebase firestore:databases:get DATABASE_ID

Replace DATABASE_ID with a database ID.

Update database configuration

To update the configurations settings of a database, use the gcloud firestore databases update command. Use this command to change to enable or disable delete protection.

Update the delete protection setting

To enable delete protection on a database, use the gcloud firestore databases update command with the --delete-protection flag. For example:

gcloud firestore databases update --database=DATABASE_ID --delete-protection

Replace DATABASE_ID with a database ID.

To disable delete protection on a database, use the gcloud firestore databases update command with the --no-delete-protection flag. For example:

gcloud firestore databases update --database=DATABASE_ID --no-delete-protection

Replace DATABASE_ID with a database ID.

Delete a database

To delete a database, use the console or command-line tool.

If the database has the delete protection setting enabled, you must first disable delete protection.

If the database contains App Engine search data or blob entities, you must delete that data first.

Deleting a database does not automatically delete any Eventarc triggers for that database. The trigger stops delivering events but continues to exist until you delete the trigger.

Deleting a database does not incur charges for delete operations.

gcloud firestore databases delete --database=DATABASE_ID

Clone a database

You can clone an existing database at a selected timestamp into a new database:

• The cloned database is a new database that will be created in the same location as the source database.

  To make a clone, Cloud Firestore uses point-in-time recovery (PITR) data of the source database. The cloned database includes all data and indexes.

• By default, the cloned database will be encrypted in the same way as the source database, using either Google's default encryption or CMEK encryption. You can specify a different encryption type or use a different key for CMEK encryption.

• The timestamp has a granularity of one minute and specifies a point of time in the past, in the period defined by the PITR window:

  • If PITR is enabled for your database, you select any minute in the last 7 days (or less if PITR was enabled less than 7 days ago).
  • If PITR isn't enabled, you can select any minute in the past hour.
  • You can check the earliest timestamp that you can pick in your database's description.

gcloud alpha firestore databases clone \
--source-database='SOURCE_DATABASE_ID' \
--snapshot-time='PITR_TIMESTAMP' \
--destination-database='DESTINATION_DATABASE_ID'

gcloud alpha firestore databases clone \
--source-database='projects/example-project/databases/(default)' \
--snapshot-time='2025-06-01T10:20:00.00Z' \
--destination-database='projects/example-project/databases/example-dest-db'

gcloud alpha firestore databases clone \
--source-database='projects/example-project/databases/(default)' \
--snapshot-time='2025-06-01T10:20:00.00Z' \
--destination-database='projects/example-project/databases/example-dest-db' \
--encryption-type='customer-managed-encryption' \
--kms-key-name='projects/example-project/locations/us-central1/keyRings/example-key-ring/cryptoKeys/example-key'

Configure per-database access permissions

You can use Identity and Access Management Conditions to configure access permissions on a per-database level. The following examples use the Google Cloud CLI to assign conditional access for one or more databases. You can also define IAM conditions in the Google Cloud console.

View existing IAM policies

gcloud projects get-iam-policy PROJECT_ID

Set PROJECT_ID to your project ID.

Grant access to a database

gcloud projects add-iam-policy-binding PROJECT_ID \
--member='user:EMAIL' \
--role='roles/datastore.user' \
--condition='expression=resource.name=="projects/PROJECT_ID/databases/DATABASE_ID",title=TITLE,description=DESCRIPTION'

Set the following:

• PROJECT_ID: your project ID
• EMAIL: an email address that represents a specific Google Account. For example, alice@example.com.
• DATABASE_ID: a database ID.
• TITLE: an optional title for the expression.
• DESCRIPTION: an optional description of the expression.

Grant access to all except one database

gcloud projects add-iam-policy-binding PROJECT_ID \
--member='user:EMAIL' \
--role='roles/datastore.user' \
--condition='expression=resource.name!="projects/PROJECT_ID/databases/DATABASE_ID",title=TITLE,description=DESCRIPTION'

Set the following:

• PROJECT_ID: your project ID
• EMAIL: an email address that represents a specific Google Account. For example, alice@example.com.
• DATABASE_ID: a database ID.
• TITLE: an optional title for the expression.
• DESCRIPTION: an optional description of the expression.

Remove policies for a given member and role

gcloud projects remove-iam-policy-binding PROJECT_ID \
--member='user:EMAIL' \
--role='roles/datastore.user' --all

Set the following:

• PROJECT_ID: your project ID
• EMAIL: an email address that represents a specific Google Account. For example, alice@example.com.

Cloud Monitoring

Cloud Firestore metrics are reported under two monitored resources.

• firestore.googleapis.com/Database
• firestore_instance(Legacy)

You can inspect aggregate metrics at the database level by looking at firestore.googleapis.com/Database. The metrics reported under firestore_instance are aggregated at the project level.

Limitations

• You can have a maximum of 100 databases per project. You can contact support to request an increase to this limit.
• You cannot delete your (default) database if it contains any GAE search data. Use the index delete api to delete GAE search data. If you recently deleted GAE Search data, there may be a waiting period before you are able to delete the database.
• You cannot delete your (default) database if it contains any blob entities. Use the Blobstore delete api to delete Blobstore data. You can check if your (default) database has Blobstore data by running the following GQL query in the Google Cloud console: SELECT * FROM __BlobInfo__.
• You cannot reuse a database ID until 5 minutes after the delete happens.
• Cloud Function v1 does not support Firestore Named databases. Use Cloud Firestore Triggers (2nd Gen) to configure events for named databases.
• Firestore function triggers v1 and Firestore event triggers may stop working after the database is deleted, even if a new database is created with the same name.

What's next

• Add data
• Get data
• Delete data