Supported permissions for Firebase IAM

Firebase IAM supports permissions that are:

Required permissions for using Firebase

A number of permissions are required for general Firebase actions, including using the Firebase console.

The following table describes these permissions, including when each permission must be included in a custom role.

When necessary, these permissions are already included in Firebase predefined roles.

Permission Description
cloudnotifications.activities.list Required if the members need to subscribe to notification emails and in-console alerts from Firebase services
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze Required for all custom roles
Grants permission to view segments and data from Google Analytics for Firebase
firebaseextensions.configs Required if the members need access to Firebase project integrations with collaboration tools (including Slack and Jira)
monitoring.timeSeries.list Required if the members need to view usage and analytics from StackDriver
resourcemanager.*
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.list
Required for all custom roles
Grants permissions to retrieve Firebase project information
runtimeconfig.* Required if the members need to run Firebase CLI commands

For more information, see the GCP documentation about Runtime Configurator Access.

servicemanagement.* and
serviceusage.*
  • servicemanagement.projectSettings.get
  • serviceusage.apiKeys.get
  • serviceusage.apiKeys.getProjectForKey
  • serviceusage.apiKeys.list
  • serviceusage.operations.get
  • serviceusage.operations.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Required for all custom roles
Grants permissions to check for the state of Google APIs and to run Firebase CLI commands

Firebase-specific IAM permissions

The following tables list the permissions that Firebase supports.

Firebase Management permissions

Permission name Description
firebase.billingPlans.get Retrieve the current Firebase Billing Plan for a project
firebase.billingPlans.update Change the current Firebase Billing Plan for a project
firebase.clients.create Add new apps to a project
firebase.clients.delete Delete existing apps from a project
firebase.clients.get Retrieve a list of apps in a project
firebase.links.create Create new links to Google systems
(Firebase console > Project Settings > Integrations)
firebase.links.delete Delete links to Google systems
(Firebase console > Project Settings > Integrations)
firebase.links.list Retrieve a list of links to Google systems
(Firebase console > Project Settings > Integrations)
firebase.links.update Update existing links to Google systems
(Firebase console > Project Settings > Integrations)
firebase.projects.delete Delete existing projects
firebase.projects.get Retrieve details and Firebase resources for a project
firebase.projects.list Retrieve a list of Firebase projects
firebase.projects.update Modify the attributes of an existing project

Google Analytics for Firebase permissions

Permission name Description
firebaseanalytics.resources.googleAnalyticsEdit Modify existing Analytics data, including audiences, user properties, funnels, reporting parameters, conversions, and postbacks
For more information, see Analytics Help.
firebaseanalytics.resources.googleAnalyticsReadAndAnalyze View existing Analytics data, including reports and configuration data
Manipulate data within reports (for example, filters)
For more information, see Analytics Help.

Firebase Authentication permissions

Permission name Description
firebaseauth.configs.get Retrieve the Authentication configuration
firebaseauth.configs.update Update the existing Authentication configuration
firebaseauth.users.create Create new users in Authentication
firebaseauth.users.createSession Create session cookie for a logged-in user
firebaseauth.users.delete Delete existing users in Authentication
firebaseauth.users.get Retrieve a list of existing Authentication users
firebaseauth.users.sendEmail Send emails to the users
firebaseauth.users.update Update existing users in Authentication

Firebase Realtime Database permissions

Permission name Description
firebasedatabase.instances.create Create new database instances
firebasedatabase.instances.get Read-only access to the data in the database
firebasedatabase.instances.list Retrieve a list of existing database instances
firebasedatabase.instances.update Update existing database instances
Enable and disable database instances
Write access to the data in the database
Retrieve and modify security rules for the database
Retrieve and modify Cloud Functions triggers for the database

Cloud Firestore permissions

For a list and descriptions of Cloud Firestore permissions, see the GCP documentation.

Cloud Storage for Firebase permissions

For a list and descriptions of Cloud Storage permissions, see the GCP documentation.

Firebase Security Rules (Cloud Storage and Cloud Firestore) permissions

Permission name Description
firebaserules.releases.create Create releases
firebaserules.releases.delete Delete releases
firebaserules.releases.get Retrieve releases
firebaserules.releases.getExecutable Retrieve the binary executable payloads for releases
firebaserules.releases.list Retrieve a list of releases
firebaserules.releases.update Update ruleset references for releases
firebaserules.rulesets.create Create new rulesets
firebaserules.rulesets.delete Delete existing ruleset
firebaserules.rulesets.get Retrieve rulesets with source
firebaserules.rulesets.list Find ruleset metadata (no source)
firebaserules.rulesets.test Test sources for correctness

Firebase Hosting permissions

Permission name Description
firebasehosting.sites.create Create new Hosting resources (domains, versions, releases)
firebasehosting.sites.delete Delete existing Hosting resources (domains, versions)
firebasehosting.sites.get Retrieve details of an existing Hosting resource (domains, versions, releases)
firebasehosting.sites.list Retrieve a list of Hosting resources (domains, versions, releases)
firebasehosting.sites.update Update existing Hosting resources (domains, versions, releases)

Cloud Functions for Firebase permissions

For a list and descriptions of Cloud Functions permissions, see the GCP documentation.

Note that the deployment of functions requires a specific configuration of permissions that aren't included in the standard Firebase predefined roles. To deploy functions, use one of the following options:

  • Delegate the deployment of Cloud Functions to a project member assigned a primitive role of Owner or Editor.

  • Assign a member the Firebase Develop Admin predefined role (roles/firebase.developAdmin) using the Firebase console. Then, using the GCP Console or GCloud, also assign the member a service account user role (for detailed steps and security implications for this role configuration, see the GCP documentation).

ML Kit for Firebase permissions

Permission name Description
firebaseml.compressionjobs.create Create new compression jobs
firebaseml.compressionjobs.delete Delete existing compression jobs
firebaseml.compressionjobs.get Retrieve details of existing compression jobs
firebaseml.compressionjobs.list Retrieve a list of existing compression jobs
firebaseml.compressionjobs.start Start compression jobs
firebaseml.compressionjobs.update Update existing compression jobs
firebaseml.models.create Create new ML models
firebaseml.models.delete Delete existing ML models
firebaseml.models.get Retrieve details of existing ML models
firebaseml.models.list Retrieve a list of existing ML models
firebaseml.modelversions.create Create new model versions
firebaseml.modelversions.get Retrieve details of existing model versions
firebaseml.modelversions.list Retrieve a list of existing model versions
firebaseml.modelversions.update Update existing model versions

Firebase Crashlytics permissions

Permission name Description
firebasecrash.issues.update Update existing Crashlytics issues
firebasecrash.reports.get Retrieve existing Crashlytics reports

Firebase Performance Monitoring permissions

Permission name Description
firebaseperformance.config.create Create new issue threshold configurations
firebaseperformance.config.delete Delete existing issue threshold configurations
firebaseperformance.config.update Modify existing issue threshold configurations
firebaseperformance.data.get View all performance data and issue threshold values

Firebase Test Lab permissions

Test Lab requires access to Cloud Storage buckets, so it requires a specific configuration of permissions that aren't all included in the standard Firebase predefined roles. To grant access to Test Lab, use one of the following options:

  • Test your app in a dedicated separate Firebase project.

    • Add members who need Test Lab access, then assign them the Editor role using the Firebase console.
  • Assign a pair of predefined roles (which together grant the required set of permissions) using the GCP console.

    • To allow a member to run tests with Test Lab, assign both:
    • Firebase Test Lab Admin
    • Firebase Analytics Viewer

    • To allow a member to view test results in Test Lab, assign both:

    • Firebase Test Lab Viewer

    • Firebase Analytics Viewer

Permission name Description
cloudtestservice.environmentcatalog.get Retrieve the catalog of supported test environments for a project
cloudtestservice.matrices.create Request to run a matrix of tests according to the given specifications
cloudtestservice.matrices.get Retrieve the status of a test matrix
cloudtestservice.matrices.update Update an unfinished test matrix
cloudtoolresults.executions.list Retrieve a list of Executions for a History
cloudtoolresults.executions.get Retrieve an existing Execution
cloudtoolresults.executions.create Create a new Execution
cloudtoolresults.executions.update Update an existing Execution
cloudtoolresults.histories.list Retrieve a list of Histories
cloudtoolresults.histories.get Retrieve an existing History
cloudtoolresults.histories.create Create a new History
cloudtoolresults.settings.create Create new tool results settings
cloudtoolresults.settings.get Retrieve existing tool results settings
cloudtoolresults.settings.update Update tool results settings
cloudtoolresults.steps.list Retrieve a list of Steps for an Execution
cloudtoolresults.steps.get Retrieve an existing Step
cloudtoolresults.steps.create Create a new Step
cloudtoolresults.steps.update Update an existing Step

Firebase Predictions permissions

Permission name Description
firebasepredictions.predictions.create Create new predictions
firebasepredictions.predictions.delete Delete existing predictions
firebasepredictions.predictions.list Retrieve a list of existing predictions
firebasepredictions.predictions.update Update existing predictions

Firebase A/B Testing permissions

Permission name Description
firebaseabt.experimentresults.get Retrieve the results of an experiment
firebaseabt.experiments.create Create new experiments
firebaseabt.experiments.delete Delete existing experiments
firebaseabt.experiments.get Retrieve details of an existing experiment
firebaseabt.experiments.list Retrieve a list of existing experiments
firebaseabt.experiments.update Update an existing experiment
firebaseabt.projectmetadata.get Retrieve analytics metadata for setting up an experiment

Firebase Cloud Messaging permissions

Permission name Description
firebasenotifications.messages.create Create new messages in the Notifications composer
firebasenotifications.messages.delete Delete existing messages in the Notifications composer
firebasenotifications.messages.get Retrieve details of existing messages in the Notifications composerr
firebasenotifications.messages.list Retrieve a list of existing messages in the Notifications composer
firebasenotifications.messages.update Update existing messages in the Notifications composer

Firebase In-App Messaging permissions

Permission name Description
firebaseinappmessaging.campaigns.create Create new campaigns
firebaseinappmessaging.campaigns.delete Delete existing campaigns
firebaseinappmessaging.campaigns.get Retrieve details of existing campaigns
firebaseinappmessaging.campaigns.list Retrieve a list of existing campaigns
firebaseinappmessaging.campaigns.update Update existing campaigns

Firebase Remote Config permissions

Permission name Description
cloudconfig.configs.get Retrieve Remote Config data
cloudconfig.configs.update Update Remote Config data

Firebase Dynamic Links permissions

Permission name Description
firebasedynamiclinks.domains.create Create new Dynamic Links domains
firebasedynamiclinks.domains.delete Delete existing Dynamic Links domains
firebasedynamiclinks.domains.get Retrieve details of existing Dynamic Links domains
firebasedynamiclinks.domains.list Retrieve a list of existing Dynamic Links domains
firebasedynamiclinks.domains.update Update existing Dynamic Links domains
firebasedynamiclinks.links.create Create new Dynamic Links
firebasedynamiclinks.links.get Retrieve details of existing Dynamic Links
firebasedynamiclinks.links.list Retrieve a list of existing Dynamic Links
firebasedynamiclinks.links.update Update existing Dynamic Links
firebasedynamiclinks.stats.get Retrieve Dynamic Links statistics
firebasedynamiclinks.destinations.list Retrieve existing Dynamic Links destinations
firebasedynamiclinks.destinations.update Update existing Dynamic Links destinations

Extensions permissions

Permission name Description
firebaseextensions.configs.create Create new extension configurations for external services
(Firebase console > Project Settings > Integrations)
firebaseextensions.configs.delete Delete existing extension configurations for external services
(Firebase console > Project Settings > Integrations)
firebaseextensions.configs.list Retrieve a list of extension configurations for external services
(Firebase console > Project Settings > Integrations)
firebaseextensions.configs.update Update existing extension configurations for external services
(Firebase console > Project Settings > Integrations)

Send feedback about...

Need help? Visit our support page.