When managing roles in Google Cloud IAM, all datastore.* permissions (such as datastore.entities.{create, list, get}) show up as greyed out with a yellow exclamation badge with a tool tip explaining "cannot assign permission."
I'm assuming this is why all datastore api calls result in "com.google.cloud.datastore.DatastoreException: Missing or insufficient permissions" even when assigning project level rights to the role.
Any idea how to grant these permissions to roles?
First of all, bear in mind that “Custom roles are a beta feature and should be used with caution.”
It is a known issue in Beta restrictions:
“Some predefined roles contain deprecated permissions or permissions that are otherwise not permitted in custom roles. A custom role that is based on a predefined role that contains deprecated or restricted permissions will not contain those permissions.”
Also if you check the IAM Permissions Change Log, in Upcoming IAM changes for the week of 2017-12-18 , you will see all these roles related to Cloud Datastore are not longer supported in Customer Roles.
In this case you will have to use Primitive roles.
