Identity and Access Management (IAM) lets you grant granular access to specific Firebase and Google resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.
For a detailed description of IAM, read the Google Cloud IAM documentation.
Overview of Firebase IAM
Firebase offers additional IAM options that are specific for Firebase projects and your project members.
When an authenticated project member requests an action in Firebase, IAM makes an authorization decision about whether the project member has permission to perform the requested operation on the resource. Whether the project member is allowed to perform the request depends on the project member's assigned role. Each role is a collection of permissions, and when you assign a role to a project member, you are granting that project member all the permissions for that role.
Using Firebase IAM, you assign roles (and their inherent permissions) to your project members. Project members can be of the following types:
- Google account
- Service account
- Google group
Permissions are granted to your project members via roles. A role is a collection of permissions. When you assign a role to a project member, you grant that project member all the permissions that the role contains.
Firebase IAM supports the following types of roles:
Basic roles: Fundamental Owner, Editor, and Viewer roles (formerly called "primitive" roles).
Predefined roles: Curated Firebase-specific roles that enable more granular access control than the basic roles. Firebase offers:
Firebase-level roles: Roles which grant full read/write or read-only access to all the Firebase products.
Product-category roles: Roles which grant full read/write or read-only access to groups of products. They are structured around Google Analytics and general product categories.
Product-level roles: Roles which grant full read/write or read-only access to specific Firebase products.
Custom roles: Fully customized roles that you create to tailor a set of permissions that meet the specific requirements of your organization.
Role change latency
If you change a project member's role assignment, it might take up to 5 minutes for the change to take effect.
Manage project members and their roles
View project members and their rolesYou can view many of your project members and their roles in the Users and permissions tab of > Project settings in the Firebase console. Note the following:
- The Firebase console only lists project members assigned a basic role (Owner, Editor, Viewer) or a Firebase predefined role. The project members listed in this tab are the only project members who have access to the Firebase project in the Firebase console.
- The Firebase console does not list project members that are service accounts. View these project members in the IAM page of the Google Cloud console.
Assign a role to a project member
To manage the role(s) assigned to each project member, you must be an Owner of the Firebase
project (or be assigned a role with the permission
Here are the places where you can assign and manage roles:
- The Firebase console offers a simplified way to assign roles to project members in the Users and permissions tab of > Project settings. In the Firebase console, you can assign any of the basic roles (Owner, Editor, Viewer), the Firebase Admin/Viewer roles, or any of the Firebase predefined product-category roles.
- The Google Cloud console offers an expansive set of tools to assign roles to project members
IAM page. In the Cloud console, you can also create
custom roles, as well as give service accounts
access to your project.
Note that in the Google Cloud console, project members are called principals.
If the Owner of your project can no longer perform the tasks of an Owner (for example, the person left your company) and your project isn't managed via a Google Cloud organization (see next paragraph), you can contact Firebase Support to have a temporary Owner assigned.
Note that if a Firebase project is part of a Google Cloud organization, it may not have an Owner. If you're unable to find an Owner for your Firebase project, contact the person who manages your Google Cloud organization to assign an Owner for the project.