Identity and Access Management (IAM) lets you grant granular access to specific Firebase and Google resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.
For a detailed description of IAM, read the Google Cloud IAM documentation.
Overview of Firebase IAM
Firebase offers additional IAM options that are specific for Firebase projects and your members.
When an authenticated member requests an action in Firebase, IAM makes an authorization decision about whether the member has permission to perform the requested operation on the resource. Whether the member is allowed to perform the request depends on the member's assigned role. Each role is a collection of permissions, and when you assign a role to a member, you are granting that member all the permissions for that role.
Using Firebase IAM, you assign roles (and their inherent permissions) to your members. Members can be of the following types:
- Google account
- Service account
- Google group
Firebase IAM supports the following types of roles:
Basic roles: Fundamental Owner, Editor, and Viewer roles (formerly called "primitive" roles).
Predefined roles: Curated Firebase-specific roles that enable more granular access control than the basic roles. Firebase offers:
Firebase-level roles: Roles which grant full read/write or read-only access to all the Firebase products.
Product-category roles: Roles which grant full read/write or read-only access to groups of products. They are structured around Google Analytics and general product categories.
Product-level roles: Roles which grant full read/write or read-only access to specific Firebase products.
Custom roles: Fully customized roles that you create to tailor a set of permissions that meet the specific requirements of your organization.
Role change latency
If you change a member's role assignment, it might take up to 5 minutes for the change to take effect.