Permissions granted to a Firebase Extension

For a Firebase Extension to perform its specified actions, Firebase grants each instance of an installed extension limited access to your project and data via a service account.

What's a service account?

A service account is a special type of Google user account. It represents a non-human user that's authorized to access data using Google APIs.

During installation of an extension, Firebase creates a service account in your project. Each installed instance of an extension has its own service account.

Firebase limits access to your project and data by assigning an extension's service account specific roles (bundles of permissions). The roles that an extension requires to operate are determined by Firebase during extension development. At installation, Firebase assigns these roles to an extension's service account, and you shouldn't modify, add to, or delete any of these assigned roles (otherwise your installed extension won't work as expected). You can, though, uninstall the extension, which deletes the service account (and its access) altogether.

Service accounts created for extensions are in the format: ext-extension-instance-id@project-id.iam.gserviceaccount.com.

You can view all the service accounts associated with your Firebase project in the Service accounts tab of your Project settings.

Permissions and roles

During development of an extension, Firebase determines the level of access that an extension requires to operate.

Firebase defines this level of access by explicitly listing the roles (bundles of permissions) that Firebase should assign to the extension's service account during installation of the extension.

Each role (and its inherent permissions) is based on a specific product or service. Examples of roles are firebasehosting.admin, bigquery.dataEditor, and firebasedatabase.admin. Firebase lists the required roles for an extension in the extension's specification file (the extension.yaml file).

For official Firebase extensions, Firebase thoroughly reviews this list of roles to ensure that an extension's access is strictly limited to the scope of the extension's tasks. You can also review and confirm for yourself the access granted to an extension by viewing the extension's details page in the Firebase Extensions dashboard or viewing its README file.

Learn about the permissions included in each role:

What happens when I uninstall an extension?

When you uninstall an extension from your project, Firebase deletes the service account created for that instance of the extension. After this deletion of the service account, the extension cannot run in your project because it no longer has any access rights to your project or data.