I'm willing to deploy a service in Google-Cloud-Run. It would be a (python) Flask App that would connect to datastore (firestore in datastore mode) to either write or read a small blob.
The problem is that it is not explained in the docs: Accessing your Database how to reach datastore within GCP but not from GCE or AppEngine. Is there a fancy/seamless way to achieve this or should I go with providing a service account credentials as if it was an external platform ?
Thank you in advance for your help and answers.
When your Cloud Run logic executes, it executes with the identity of a GCP Service Account. You can configure which service account it runs as at configuration time. You can create and configure a Service Account that has the correct roles to allow/provide access to your datastore. This means that when your Cloud Run logic executes, it will have the correct authority to perform the desired operations. This story is documented here:
If for some reason you don't find this sufficient, an alternative is to save the tokens necessary for access in compute metadata and then dynamically retrieve these explicitly within your cloud run logic. This is described here:
Fetching identity and access tokens
Hopefully this covers the fundamentals of what you are looking for. If after reading these areas new questions arise, feel very free to create new questions which are more specific and detailed and we'll follow up there.