I finally figured out the issue. It turns out Google is misleading, and the service account displayed in the IAM console isn’t the one the agent uses. The agent uses a different service account. To access Firestore, you need to grant that account the necessary permissions to read and write.