I'm looking to store my GCE metadata into into Firestore. But there is other data there I don't want the service account to access so I want them be able to write to my firestore and only be able to read the documents that they wrote into Firestore and nothing else. Is this possible and how do I do it?
It seems I can read entities at once but I'm not sure if this is also the case for firestore in native mode: https://cloud.google.com/datastore/docs/access/iam#permissions
I don't think IAM can be used to control access to specific documents.
To implement fine grained access control, have a look at Firestore security rules, which allow more fine-grained control. With this approach, the users don't become collaborators on your GCP/Firebase project, but are identified as Firebase Authentication users who can only access the database through the API and you application. You can then set security rules to determine which documents they can access.