權限通過角色授予您的項目成員。角色是權限的集合。將角色分配給項目成員時,您將授予該項目成員該角色包含的所有權限。
本頁面介紹了 Firebase 支持的角色中可能列出的權限所啟用的操作。這些權限分為兩類:
Firebase 中所有角色或特定操作所需的身份和訪問管理 (IAM) 權限
所需權限
Firebase IAM 包含以下權限:
有關特定於 Firebase 產品或服務的權限的一般列表和說明,請參閱特定於 Firebase 產品的 IAM 權限中的相應部分。
所有角色都包含所需的權限
使用任何 Firebase 產品或服務都需要下表中列出的權限。
這些權限會自動包含在每個Firebase 預定義角色中。
| 允許 | 描述 |
|---|---|
| 授予檢索 Firebase 項目信息的權限 | |
| 授予檢索 Firebase 項目信息的權限 | |
| 授予檢查 Google API 狀態和運行 Firebase CLI 命令的權限 |
Firebase 服務特定操作所需的權限
執行某些 Firebase 服務特定的操作需要下表中列出的權限。
當需要時,這些權限會自動包含在每個Firebase 預定義角色中。
| 行動 | 所需許可 |
|---|---|
| 使用協作工具(包括 Slack、Jira 和 PagerDuty)訪問 Firebase 項目集成 | firebaseextensions.configs.* |
| 從 StackDriver 查看使用情況和分析 | 監控.timeSeries.list |
| 運行Firebase CLI命令 有關更多信息,請參閱有關運行時配置器訪問的Google Cloud 文檔。 | 運行時配置.* |
Firebase 管理特定操作所需的權限
下表列出的權限是執行某些 Firebase 管理特定操作所需的附加權限。
| 管理權限及相關操作 | 需要額外的權限 |
|---|---|
firebase.billingPlans.update | |
| 更改 Firebase 項目的結算計劃 | resourcesmanager.projects.createBillingAssignment resourcesmanager.projects.deleteBillingAssignment |
firebase.projects.delete | |
| 刪除 Firebase 項目 | 資源管理器.項目.刪除 |
firebase.projects.update | |
| 將 Firebase 資源添加到現有 Google Cloud 項目 | 資源管理器.projects.get serviceusage.services.enable serviceusage.services.get |
| 更改 Firebase 項目的名稱 | 資源管理器.項目.更新 |
| 為 Android 應用程序添加 SHA 證書指紋 | clientauthconfig.clients.create |
| 刪除 Android 應用程序的 SHA 證書指紋 | clientauthconfig.clients.刪除 |
| 更新 Apple 應用程序的 App Store ID 或團隊 ID | clientauthconfig.clients.get clientauthconfig.clients.update |
Firebase 產品特定的 IAM 權限
下表列出了特定於 Firebase 產品或服務的權限。您可以使用這些權限來創建自定義角色。
Firebase 管理權限
請注意,以下某些管理權限需要額外的權限才能執行某些操作。
| 權限名稱 | 描述 |
|---|---|
| firebase.billingPlans.get | 檢索項目的當前Firebase 計費計劃 |
| firebase.billingPlans.update | 更改項目的當前Firebase 結算計劃 |
| firebase.clients.create | 將新應用程序添加到項目中 |
| firebase.clients.刪除 | 從項目中刪除現有應用程序 |
| firebase.clients.get | 檢索項目中應用程序的詳細信息和配置 |
| firebase.clients.list | 檢索項目中的應用程序列表 |
| firebase.clients.undelete | 在永久刪除數據之前取消刪除已刪除的應用程序 |
| firebase.clients.update | 更新項目中應用程序的詳細信息和配置 |
| firebase.links.create | 創建指向 Google 系統的新鏈接 (Firebase 控制台 > 項目設置 > 集成) |
| firebase.links.刪除 | 刪除指向 Google 系統的鏈接 (Firebase 控制台 > 項目設置 > 集成) |
| firebase.links.list | 檢索 Google 系統的鏈接列表 (Firebase 控制台 > 項目設置 > 集成) |
| firebase.links.update | 更新現有的 Google 系統鏈接 (Firebase 控制台 > 項目設置 > 集成) |
| firebase.playLinks.get | 檢索有關 Google Play 鏈接的詳細信息 (Firebase 控制台 > 項目設置 > 集成 > Google Play) |
| firebase.playLinks.list | 檢索 Google Play 的鏈接列表 (Firebase 控制台 > 項目設置 > 集成 > Google Play) |
| firebase.playLinks.update | 創建新鏈接並更新指向 Google Play 的現有鏈接 (Firebase 控制台 > 項目設置 > 集成 > Google Play) |
| firebase.projects.delete | 刪除現有項目 |
| firebase.projects.get | 檢索項目的詳細信息和 Firebase 資源 |
| firebase.projects.update | 修改現有項目的屬性 接收適用 Firebase 產品和功能的提醒(了解更多) |
| firebaseinstallations.instances.delete | 刪除 Firebase 安裝 ID 以及與該安裝相關的數據(了解更多) |
谷歌分析權限
以下權限授予對鏈接到 Firebase 項目的 Analytics 媒體資源的訪問權限。它們允許 Firebase 項目成員訪問 Analytics 數據,包括受眾群體、用戶屬性、渠道、報告、轉化等。
| 權限名稱 | 描述 |
|---|---|
| firebaseanalytics.resources.googleAnalytics編輯 | 默認情況下,將分析編輯者角色授予鏈接的分析媒體資源 |
| firebaseanalytics.resources.googleAnalyticsAdditionalAccess | 默認情況下,將 Analytics 營銷人員角色授予鏈接的 Analytics 媒體資源 |
| firebaseanalytics.resources.googleAnalyticsReadAndAnalyze | 默認情況下,將分析查看者角色授予鏈接的分析媒體資源 |
| firebaseanalytics.resources.googleAnalyticsRestrictedAccess | 默認情況下,向鏈接的 Analytics 媒體資源授予分析查看者角色,但無法訪問收入數據和成本數據 |
Firebase 應用檢查權限
| 權限名稱 | 描述 |
|---|---|
| firebaseappcheck.appAttestConfig.get | 檢索應用程序的應用程序證明配置 |
| firebaseappcheck.appAttestConfig.update | 更新應用程序的應用程序認證配置 |
| firebaseappcheck.appCheckTokens.verify | 驗證為 Firebase 項目頒發的 App Check 令牌 |
| firebaseappcheck.debugTokens.get | 檢索應用程序的調試令牌 |
| firebaseappcheck.debugTokens.update | 創建、更新或刪除應用程序的調試令牌 |
| firebaseappcheck.deviceCheckConfig.get | 檢索應用程序的 DeviceCheck 配置 |
| firebaseappcheck.deviceCheckConfig.update | 更新應用程序的 DeviceCheck 配置 |
| firebaseappcheck.playIntegrityConfig.get | 檢索應用程序的 Play Integrity 配置 |
| firebaseappcheck.playIntegrityConfig.update | 更新應用程序的 Play Integrity 配置 |
| firebaseappcheck.recaptchaEnterpriseConfig.get | 檢索應用程序的 reCAPTCHA Enterprise 配置 |
| firebaseappcheck.recaptchaEnterpriseConfig.update | 更新應用程序的 reCAPTCHA Enterprise 配置 |
| firebaseappcheck.recaptchaV3Config.get | 檢索應用程序的 reCAPTCHA v3 配置 |
| firebaseappcheck.recaptchaV3Config.update | 更新應用程序的 reCAPTCHA v3 配置 |
| firebaseappcheck.safetyNetConfig.get | 檢索應用程序的 SafetyNet 配置 |
| firebaseappcheck.safetyNetConfig.update | 更新應用程序的 SafetyNet 配置 |
| firebaseappcheck.services.get | 檢索項目的服務實施配置 |
| firebaseappcheck.services.update | 更新項目的服務實施配置 |
Firebase 應用分發權限
| 權限名稱 | 描述 |
|---|---|
| firebaseappdistro.releases.list | 檢索現有發行版和邀請鏈接的列表 |
| firebaseappdistro.releases.update | 創建、刪除和修改發行版 創建和刪除邀請鏈接 |
| firebaseappdistro.testers.list | 檢索項目中現有測試人員的列表 |
| firebaseappdistro.testers.update | 在項目中創建和刪除測試人員 |
| firebaseappdistro.groups.list | 檢索項目中現有測試人員組的列表 |
| firebaseappdistro.groups.update | 在項目中創建和刪除測試人員組 |
Firebase 身份驗證權限
| 權限名稱 | 描述 |
|---|---|
| firebaseauth.configs.create | 創建身份驗證配置 |
| firebaseauth.configs.get | 檢索身份驗證配置 |
| firebaseauth.configs.getHashConfig | 獲取用戶帳戶的密碼哈希配置和密碼哈希 |
| firebaseauth.configs.getSecret | 在身份驗證配置中獲取客戶端密鑰 |
| firebaseauth.configs.update | 更新現有的身份驗證配置 |
| firebaseauth.user.create | 在身份驗證中創建新用戶 |
| firebaseauth.users.createSession | 為登錄用戶創建會話cookie |
| firebaseauth.users.delete | 刪除身份驗證中的現有用戶 |
| firebaseauth.user.get | 檢索現有身份驗證用戶的列表 |
| firebaseauth.users.sendEmail | 向用戶發送電子郵件 |
| firebaseauth.user.update | 更新身份驗證中的現有用戶 |
Firebase A/B 測試權限(測試版)
| 權限名稱 | 描述 |
|---|---|
| firebaseabt.experimentresults.get | 檢索實驗結果 |
| firebaseabt.experiments.create | 創建新實驗 |
| firebaseabt.experiments.delete | 刪除現有實驗 |
| firebaseabt.experiments.get | 檢索現有實驗的詳細信息 |
| firebaseabt.experiments.list | 檢索現有實驗的列表 |
| firebaseabt.experiments.update | 更新現有實驗 |
| firebaseabt.projectmetadata.get | 檢索分析元數據以設置實驗 |
Cloud Firestore 權限
有關 Cloud Firestore 權限的列表和說明,請參閱Google Cloud 文檔。
雲存儲權限
有關 Cloud Storage 權限的列表和說明,請參閱Google Cloud 文檔。
Firebase 安全規則(Cloud Firestore 和 Cloud Storage)權限
| 權限名稱 | 描述 |
|---|---|
| firebaserules.releases.create | 創建版本 |
| firebaserules.releases.delete | 刪除版本 |
| firebaserules.releases.get | 檢索版本 |
| firebaserules.releases.getExecutable | 檢索版本的二進制可執行有效負載 |
| firebaserules.releases.list | 檢索版本列表 |
| firebaserules.releases.update | 更新版本的規則集參考 |
| firebaserules.rulesets.create | 創建新規則集 |
| firebaserules.rulesets.delete | 刪除現有規則集 |
| firebaserules.rulesets.get | 使用源檢索規則集 |
| firebaserules.rulesets.list | 查找規則集元數據(無來源) |
| firebaserules.rulesets.test | 測試源的正確性 |
Firebase 權限的雲功能
有關 Cloud Functions 權限的列表和說明,請參閱IAM 文檔。
請注意,功能的部署需要特定的權限配置,這些權限不包含在標準Firebase 預定義角色中。要部署功能,請使用以下選項之一:
將功能部署委託給項目所有者。
如果您僅部署非 HTTP 函數,則項目編輯器可以部署您的函數。
將功能部署委託給具有以下兩個角色的項目成員:
- 雲功能管理員角色 (
roles/cloudfunctions.admin) - 服務帳戶用戶角色 (
roles/iam.serviceAccountUser)
項目所有者可以使用 Google Cloud Console 或 gcloud CLI將這些角色分配給項目成員。有關此角色配置的詳細步驟和安全影響,請參閱IAM 文檔。
- 雲功能管理員角色 (
Firebase 消息傳遞活動權限
這些權限適用於 Firebase Cloud Messaging 和 Firebase In-App Messaging 的營銷活動。
| 權限名稱 | 描述 |
|---|---|
| firebasemessagingcampaigns.campaigns.create | 創建新的營銷活動 |
| firebasemessagingcampaigns.campaigns.delete | 刪除現有的廣告活動 |
| firebasemessagingcampaigns.campaigns.get | 檢索現有活動的詳細信息 |
| firebasemessagingcampaigns.campaigns.list | 檢索現有活動的列表 |
| firebasemessagingcampaigns.campaigns.update | 更新現有活動 |
| firebasemessagingcampaigns.campaigns.start | 啟動現有活動 |
| firebasemessagingcampaigns.campaigns.stop | 更新現有活動 |
Firebase 雲消息傳遞權限
| 權限名稱 | 描述 |
|---|---|
| 雲消息.messages.create | 通過 FCM HTTP API 和 Admin SDK 發送通知和數據消息 |
| 權限名稱 | 描述 |
|---|---|
| firebasenotifications.messages.create | 在通知編輯器中創建新消息 |
| firebasenotifications.messages.delete | 刪除通知編輯器中的現有消息 |
| firebasenotifications.messages.get | 檢索通知編輯器中現有消息的詳細信息 |
| firebasenotifications.messages.list | 檢索通知編輯器中現有消息的列表 |
| firebasenotifications.messages.update | 更新通知編輯器中的現有消息 |
Firebase Crashlytics 權限
| 權限名稱 | 描述 |
|---|---|
| firebasecrashlytics.config.get | 檢索 Crashlytics 配置設置 |
| firebasecrashlytics.config.update | 更新 Crashlytics 配置設置 |
| firebasecrashlytics.data.get | 檢索與 Crashlytics 問題和會話相關的指標 |
| firebasecrashlytics.issues.get | 檢索有關 Crashlytics 問題的詳細信息,包括問題附帶的註釋 |
| firebasecrashlytics.issues.list | 檢索 Crashlytics 問題列表 |
| firebasecrashlytics.issues.update | 打開、關閉和靜音現有的 Crashlytics 問題 更新問題附帶的註釋 |
| firebasecrashlytics.sessions.get | 檢索有關 Crashlytics 崩潰會話的詳細信息 |
| 權限名稱 | 描述 |
|---|---|
| firebasecrash.issues.update | 更新現有的 Crashlytics 問題、創建問題註釋並設置速度警報 |
| firebasecrash.reports.get | 檢索現有的 Crashlytics 報告 |
Firebase 動態鏈接權限
| 權限名稱 | 描述 |
|---|---|
| firebasedynamiclinks.domains.create | 創建新的動態鏈接域 |
| firebasedynamiclinks.domains.delete | 刪除現有的動態鏈接域 |
| firebasedynamiclinks.domains.get | 檢索現有動態鏈接域的詳細信息 |
| firebasedynamiclinks.domains.list | 檢索現有動態鏈接域的列表 |
| firebasedynamiclinks.domains.update | 更新現有動態鏈接域 |
| firebasedynamiclinks.links.create | 創建新的動態鏈接 |
| firebasedynamiclinks.links.get | 檢索現有動態鏈接的詳細信息 |
| firebasedynamiclinks.links.list | 檢索現有動態鏈接的列表 |
| firebasedynamiclinks.links.update | 更新現有的動態鏈接 |
| firebasedynamiclinks.stats.get | 檢索動態鏈接統計信息 |
| firebasedynamiclinks.destinations.list | 檢索現有的動態鏈接目標 |
| firebasedynamiclinks.destinations.update | 更新現有動態鏈接目標 |
Firebase 擴展發布權限
| 權限名稱 | 描述 |
|---|---|
| firebaseextensionspublisher.extensions.create | 上傳擴展的新版本 |
| firebaseextensionspublisher.extensions.delete | 刪除或棄用擴展的版本 |
| firebaseextensionspublisher.extensions.get | 檢索有關擴展版本的詳細信息 |
| firebaseextensionspublisher.extensions.list | 列出此發布者項目上傳的所有擴展版本 |
Firebase 託管權限
| 權限名稱 | 描述 |
|---|---|
| firebasehosting.sites.create | 為 Firebase 項目創建新的託管資源 |
| firebasehosting.sites.delete | 刪除 Firebase 項目的現有託管資源 |
| firebasehosting.sites.get | 檢索 Firebase 項目的現有託管資源的詳細信息 |
| firebasehosting.sites.list | 檢索 Firebase 項目的託管資源列表 |
| firebasehosting.sites.update | 更新 Firebase 項目的現有託管資源 |
Firebase 應用內消息傳遞權限(測試版)
| 權限名稱 | 描述 |
|---|---|
| firebaseinappmessaging.campaigns.create | 創建新的營銷活動 |
| firebaseinappmessaging.campaigns.delete | 刪除現有的廣告活動 |
| firebaseinappmessaging.campaigns.get | 檢索現有活動的詳細信息 |
| firebaseinappmessaging.campaigns.list | 檢索現有活動的列表 |
| firebaseinappmessaging.campaigns.update | 更新現有活動 |
Firebase ML 權限(測試版)
| 權限名稱 | 描述 |
|---|---|
| firebaseml.models.create | 創建新的機器學習模型 |
| firebaseml.models.update | 更新現有的機器學習模型 |
| firebaseml.models.刪除 | 刪除現有的機器學習模型 |
| firebaseml.models.get | 檢索現有 ML 模型的詳細信息 |
| firebaseml.models.list | 檢索現有 ML 模型的列表 |
| firebaseml.modelversions.create | 創建新模型版本 |
| firebaseml.modelversions.get | 檢索現有模型版本的詳細信息 |
| firebaseml.modelversions.list | 檢索現有模型版本的列表 |
| firebaseml.modelversions.update | 更新現有模型版本 |
Firebase 性能監控權限
| 權限名稱 | 描述 |
|---|---|
| firebaseperformance.config.create | 創建新的問題閾值配置 |
| firebaseperformance.config.刪除 | 刪除現有問題閾值配置 |
| firebaseperformance.config.更新 | 修改警報和現有問題閾值配置 |
| firebaseperformance.data.get | 查看所有性能數據和問題閾值 |
Firebase 實時數據庫權限
| 權限名稱 | 描述 |
|---|---|
| firebaseddatabase.instances.create | 創建新的數據庫實例 |
| firebaseddatabase.instances.get | 檢索現有數據庫實例的元數據 對現有數據庫實例中的數據的只讀訪問 |
| firebaseddatabase.instances.list | 檢索現有數據庫實例的列表 |
| firebaseddatabase.instances.update | 對現有數據庫實例中數據的完全讀寫訪問權限 啟用和禁用數據庫實例 檢索和修改現有數據庫實例的安全規則 |
| firebaseddatabase.instances.禁用 | 禁用活動數據庫實例 現有數據將被保留,但無法進行讀/寫訪問。 |
| firebaseddatabase.instances.reenable | 重新啟用已禁用的數據庫實例 現有數據再次可供讀/寫訪問。 |
| firebaseddatabase.instances.delete | 刪除禁用的數據庫實例 已刪除的數據庫名稱無法重複使用。 已刪除的數據庫實例中的數據將在 20 天后永久刪除。 |
| firebaseddatabase.instances.undelete | 在永久刪除數據之前取消刪除已刪除的數據庫實例 刪除的數據庫實例中的數據將在實例刪除20天后永久刪除。 |
Firebase 遠程配置權限
| 權限名稱 | 描述 |
|---|---|
| cloudconfig.configs.get | 檢索遠程配置數據 |
| cloudconfig.configs.update | 更新遠程配置數據 |
Firebase 測試實驗室權限
測試實驗室需要訪問 Cloud Storage 存儲桶,因此需要特定的權限配置,而這些權限並未全部包含在標準Firebase 預定義角色中。要授予對測試實驗室的訪問權限,請使用以下選項之一:
對於從 Firebase 控制台啟動的測試
在專用的單獨 Firebase 項目中測試您的應用。
添加需要測試實驗室訪問權限的成員,然後使用Firebase 控制台為他們分配舊項目角色。
- 要允許成員使用測試實驗室運行測試,請指定項目編輯者或更高級別。
- 要允許成員在測試實驗室中查看測試結果,請指定項目查看者或更高級別。
對於使用您自己的 Cloud Storage 存儲桶時從gcloud CLI 、測試 API或Gradle 託管設備啟動的測試
使用Google Cloud Console分配一對預定義角色(共同授予所需的權限集)。
要允許成員使用測試實驗室運行測試,請分配以下兩項:
- Firebase 測試實驗室管理員 (
roles/cloudtestservice.testAdmin) - Firebase 分析查看器 (
roles/firebase.analyticsViewer)
- Firebase 測試實驗室管理員 (
要允許成員在測試實驗室中查看測試結果,請分配以下兩項:
- Firebase 測試實驗室查看器 (
roles/cloudtestservice.testViewer) - Firebase 分析查看器 (
roles/firebase.analyticsViewer)
- Firebase 測試實驗室查看器 (
| 權限名稱 | 描述 |
|---|---|
| cloudtestservice.environmentcatalog.get | 檢索項目支持的測試環境的目錄 |
| cloudtestservice.matrices.create | 請求根據給定的規范運行測試矩陣 |
| cloudtestservice.matrices.get | 檢索測試矩陣的狀態 |
| cloudtestservice.matrices.update | 更新未完成的測試矩陣 |
| cloudtoolresults.executions.list | 檢索歷史記錄的處決列表 |
| cloudtoolresults.executions.get | 檢索現有的執行 |
| cloudtoolresults.executions.create | 創建一個新的執行 |
| cloudtoolresults.executions.update | 更新現有的執行 |
| cloudtoolresults.history.list | 檢索歷史列表 |
| cloudtoolresults.history.get | 檢索現有歷史記錄 |
| cloudtoolresults.history.create | 創造新的歷史 |
| cloudtoolresults.settings.create | 創建新的工具結果設置 |
| cloudtoolresults.settings.get | 檢索現有工具結果設置 |
| cloudtoolresults.settings.update | 更新工具結果設置 |
| cloudtoolresults.steps.list | 檢索執行步驟列表 |
| cloudtoolresults.steps.get | 檢索現有步驟 |
| cloudtoolresults.steps.create | 創建一個新步驟 |
| cloudtoolresults.steps.update | 更新現有步驟 |
與外部服務權限集成
| 權限名稱 | 描述 |
|---|---|
| firebaseextensions.configs.create | 為外部服務創建新的擴展配置 (Firebase 控制台 > 項目設置 > 集成) |
| firebaseextensions.configs.刪除 | 刪除外部服務的現有擴展配置 (Firebase 控制台 > 項目設置 > 集成) |
| firebaseextensions.configs.list | 檢索外部服務的擴展配置列表 (Firebase 控制台 > 項目設置 > 集成) |
| firebaseextensions.configs.update | 更新外部服務的現有擴展配置 (Firebase 控制台 > 項目設置 > 集成) |
權限通過角色授予您的項目成員。角色是權限的集合。將角色分配給項目成員時,您將授予該項目成員該角色包含的所有權限。
本頁面介紹了 Firebase 支持的角色中可能列出的權限所啟用的操作。這些權限分為兩類:
Firebase 中所有角色或特定操作所需的身份和訪問管理 (IAM) 權限
所需權限
Firebase IAM 包含以下權限:
有關特定於 Firebase 產品或服務的權限的一般列表和說明,請參閱特定於 Firebase 產品的 IAM 權限中的相應部分。
所有角色都包含所需的權限
使用任何 Firebase 產品或服務都需要下表中列出的權限。
這些權限會自動包含在每個Firebase 預定義角色中。
| 允許 | 描述 |
|---|---|
| 授予檢索 Firebase 項目信息的權限 | |
| 授予檢索 Firebase 項目信息的權限 | |
| 授予檢查 Google API 狀態和運行 Firebase CLI 命令的權限 |
Firebase 服務特定操作所需的權限
執行某些 Firebase 服務特定的操作需要下表中列出的權限。
當需要時,這些權限會自動包含在每個Firebase 預定義角色中。
| 行動 | 所需許可 |
|---|---|
| 使用協作工具(包括 Slack、Jira 和 PagerDuty)訪問 Firebase 項目集成 | firebaseextensions.configs.* |
| 從 StackDriver 查看使用情況和分析 | 監控.timeSeries.list |
| 運行Firebase CLI命令 有關更多信息,請參閱有關運行時配置器訪問的Google Cloud 文檔。 | 運行時配置.* |
Firebase 管理特定操作所需的權限
下表列出的權限是執行某些 Firebase 管理特定操作所需的附加權限。
| 管理權限及相關操作 | 需要額外的權限 |
|---|---|
firebase.billingPlans.update | |
| 更改 Firebase 項目的結算計劃 | resourcesmanager.projects.createBillingAssignment resourcesmanager.projects.deleteBillingAssignment |
firebase.projects.delete | |
| 刪除 Firebase 項目 | 資源管理器.項目.刪除 |
firebase.projects.update | |
| 將 Firebase 資源添加到現有 Google Cloud 項目 | 資源管理器.projects.get serviceusage.services.enable serviceusage.services.get |
| 更改 Firebase 項目的名稱 | 資源管理器.項目.更新 |
| 為 Android 應用程序添加 SHA 證書指紋 | clientauthconfig.clients.create |
| 刪除 Android 應用程序的 SHA 證書指紋 | clientauthconfig.clients.刪除 |
| 更新 Apple 應用程序的 App Store ID 或團隊 ID | clientauthconfig.clients.get clientauthconfig.clients.update |
Firebase 產品特定的 IAM 權限
下表列出了特定於 Firebase 產品或服務的權限。您可以使用這些權限來創建自定義角色。
Firebase 管理權限
請注意,以下某些管理權限需要額外的權限才能執行某些操作。
| 權限名稱 | 描述 |
|---|---|
| firebase.billingPlans.get | 檢索項目的當前Firebase 計費計劃 |
| firebase.billingPlans.update | 更改項目的當前Firebase 結算計劃 |
| firebase.clients.create | 將新應用程序添加到項目中 |
| firebase.clients.刪除 | 從項目中刪除現有應用程序 |
| firebase.clients.get | 檢索項目中應用程序的詳細信息和配置 |
| firebase.clients.list | 檢索項目中的應用程序列表 |
| firebase.clients.undelete | 在永久刪除數據之前取消刪除已刪除的應用程序 |
| firebase.clients.update | 更新項目中應用程序的詳細信息和配置 |
| firebase.links.create | 創建指向 Google 系統的新鏈接 (Firebase 控制台 > 項目設置 > 集成) |
| firebase.links.刪除 | 刪除指向 Google 系統的鏈接 (Firebase 控制台 > 項目設置 > 集成) |
| firebase.links.list | 檢索 Google 系統的鏈接列表 (Firebase 控制台 > 項目設置 > 集成) |
| firebase.links.update | Update existing links to Google systems (Firebase console > Project Settings > Integrations) |
| firebase.playLinks.get | Retrieve details about a link to Google Play (Firebase console > Project Settings > Integrations > Google Play) |
| firebase.playLinks.list | Retrieve a list of links to Google Play (Firebase console > Project Settings > Integrations > Google Play) |
| firebase.playLinks.update | Create new links and update existing links to Google Play (Firebase console > Project Settings > Integrations > Google Play) |
| firebase.projects.delete | Delete existing projects |
| firebase.projects.get | Retrieve details and Firebase resources for a project |
| firebase.projects.update | Modify the attributes of an existing project Receive alerts for applicable Firebase products and features ( learn more ) |
| firebaseinstallations.instances.delete | Delete a Firebase installation ID and the data tied to that installation ( learn more ) |
Google Analytics permissions
The following permissions grant access to the Analytics property linked to the Firebase project. They allow Firebase project members to access Analytics data, including audiences, user properties, funnels, reports, conversions, etc.
| Permission name | Description |
|---|---|
| firebaseanalytics.resources.googleAnalyticsEdit | By default, grants the Analytics Editor role to the linked Analytics property |
| firebaseanalytics.resources.googleAnalyticsAdditionalAccess | By default, grants the Analytics Marketer role to the linked Analytics property |
| firebaseanalytics.resources.googleAnalyticsReadAndAnalyze | By default, grants the Analytics Viewer role to the linked Analytics property |
| firebaseanalytics.resources.googleAnalyticsRestrictedAccess | By default, grants the Analytics Viewer role to the linked Analytics property with no access to revenue data and cost data |
Firebase App Check permissions
| Permission name | Description |
|---|---|
| firebaseappcheck.appAttestConfig.get | Retrieve the App Attest configuration of an app |
| firebaseappcheck.appAttestConfig.update | Update the App Attest configuration of an app |
| firebaseappcheck.appCheckTokens.verify | Verify App Check tokens issued for a Firebase project |
| firebaseappcheck.debugTokens.get | Retrieve debug tokens of an app |
| firebaseappcheck.debugTokens.update | Create, update, or delete debug tokens of an app |
| firebaseappcheck.deviceCheckConfig.get | Retrieve the DeviceCheck configuration of an app |
| firebaseappcheck.deviceCheckConfig.update | Update the DeviceCheck configuration of an app |
| firebaseappcheck.playIntegrityConfig.get | Retrieve the Play Integrity configuration of an app |
| firebaseappcheck.playIntegrityConfig.update | Update the Play Integrity configuration of an app |
| firebaseappcheck.recaptchaEnterpriseConfig.get | Retrieve the reCAPTCHA Enterprise configuration of an app |
| firebaseappcheck.recaptchaEnterpriseConfig.update | Update the reCAPTCHA Enterprise configuration of an app |
| firebaseappcheck.recaptchaV3Config.get | Retrieve the reCAPTCHA v3 configuration of an app |
| firebaseappcheck.recaptchaV3Config.update | Update the reCAPTCHA v3 configuration of an app |
| firebaseappcheck.safetyNetConfig.get | Retrieve the SafetyNet configuration of an app |
| firebaseappcheck.safetyNetConfig.update | Update the SafetyNet configuration of an app |
| firebaseappcheck.services.get | Retrieve service enforcement configurations of a project |
| firebaseappcheck.services.update | Update service enforcement configurations of a project |
Firebase App Distribution permissions
| Permission name | Description |
|---|---|
| firebaseappdistro.releases.list | Retrieve a list of existing distributions and Invite Links |
| firebaseappdistro.releases.update | Create, delete, and modify distributions Create and delete Invite Links |
| firebaseappdistro.testers.list | Retrieve a list of existing testers in a project |
| firebaseappdistro.testers.update | Create and delete testers in a project |
| firebaseappdistro.groups.list | Retrieve a list of existing tester groups in a project |
| firebaseappdistro.groups.update | Create and delete tester groups in a project |
Firebase Authentication permissions
| Permission name | Description |
|---|---|
| firebaseauth.configs.create | Create the Authentication configuration |
| firebaseauth.configs.get | Retrieve the Authentication configuration |
| firebaseauth.configs.getHashConfig | Get the password hash config and password hash of user accounts |
| firebaseauth.configs.getSecret | Get the client secret in the Authentication configuration |
| firebaseauth.configs.update | Update the existing Authentication configuration |
| firebaseauth.users.create | Create new users in Authentication |
| firebaseauth.users.createSession | Create session cookie for a logged-in user |
| firebaseauth.users.delete | Delete existing users in Authentication |
| firebaseauth.users.get | Retrieve a list of existing Authentication users |
| firebaseauth.users.sendEmail | Send emails to the users |
| firebaseauth.users.update | Update existing users in Authentication |
Firebase A/B Testing permissions (beta)
| Permission name | Description |
|---|---|
| firebaseabt.experimentresults.get | Retrieve the results of an experiment |
| firebaseabt.experiments.create | Create new experiments |
| firebaseabt.experiments.delete | Delete existing experiments |
| firebaseabt.experiments.get | Retrieve details of an existing experiment |
| firebaseabt.experiments.list | Retrieve a list of existing experiments |
| firebaseabt.experiments.update | Update an existing experiment |
| firebaseabt.projectmetadata.get | Retrieve analytics metadata for setting up an experiment |
Cloud Firestore permissions
For a list and descriptions of Cloud Firestore permissions, refer to the Google Cloud documentation .
Cloud Storage permissions
For a list and descriptions of Cloud Storage permissions, refer to the Google Cloud documentation .
Firebase Security Rules (Cloud Firestore and Cloud Storage) permissions
| Permission name | Description |
|---|---|
| firebaserules.releases.create | Create releases |
| firebaserules.releases.delete | Delete releases |
| firebaserules.releases.get | Retrieve releases |
| firebaserules.releases.getExecutable | Retrieve the binary executable payloads for releases |
| firebaserules.releases.list | Retrieve a list of releases |
| firebaserules.releases.update | Update ruleset references for releases |
| firebaserules.rulesets.create | Create new rulesets |
| firebaserules.rulesets.delete | Delete existing ruleset |
| firebaserules.rulesets.get | Retrieve rulesets with source |
| firebaserules.rulesets.list | Find ruleset metadata (no source) |
| firebaserules.rulesets.test | Test sources for correctness |
Cloud Functions for Firebase permissions
For a list and descriptions of Cloud Functions permissions, refer to the IAM documentation .
Be aware that the deployment of functions requires a specific configuration of permissions that aren't included in the standard Firebase predefined roles . To deploy functions, use one of the following options:
Delegate the deployment of functions to a project Owner .
If you're deploying only non-HTTP functions, then a project Editor can deploy your functions.
Delegate deployment of functions to a project member who has the following two roles:
- Cloud Functions Admin role (
roles/cloudfunctions.admin) - Service Account User role (
roles/iam.serviceAccountUser)
A project Owner can assign these roles to a project member using the Google Cloud Console or gcloud CLI . For detailed steps and security implications for this role configuration, refer to the IAM documentation .
- Cloud Functions Admin role (
Firebase messaging campaigns permissions
These permissions apply to campaigns for Firebase Cloud Messaging and Firebase In-App Messaging.
| Permission name | Description |
|---|---|
| firebasemessagingcampaigns.campaigns.create | Create new campaigns |
| firebasemessagingcampaigns.campaigns.delete | Delete existing campaigns |
| firebasemessagingcampaigns.campaigns.get | Retrieve details of existing campaigns |
| firebasemessagingcampaigns.campaigns.list | Retrieve a list of existing campaigns |
| firebasemessagingcampaigns.campaigns.update | Update existing campaigns |
| firebasemessagingcampaigns.campaigns.start | Start existing campaigns |
| firebasemessagingcampaigns.campaigns.stop | Update existing campaigns |
Firebase Cloud Messaging permissions
| Permission name | Description |
|---|---|
| cloudmessaging.messages.create | Send notifications and data messages through the FCM HTTP API and Admin SDK |
| Permission name | Description |
|---|---|
| firebasenotifications.messages.create | Create new messages in the Notifications composer |
| firebasenotifications.messages.delete | Delete existing messages in the Notifications composer |
| firebasenotifications.messages.get | Retrieve details of existing messages in the Notifications composer |
| firebasenotifications.messages.list | Retrieve a list of existing messages in the Notifications composer |
| firebasenotifications.messages.update | Update existing messages in the Notifications composer |
Firebase Crashlytics permissions
| Permission name | Description |
|---|---|
| firebasecrashlytics.config.get | Retrieve Crashlytics configuration settings |
| firebasecrashlytics.config.update | Update Crashlytics configuration settings |
| firebasecrashlytics.data.get | Retrieve metrics associated with Crashlytics issues and sessions |
| firebasecrashlytics.issues.get | Retrieve details about Crashlytics issues, including notes attached to issues |
| firebasecrashlytics.issues.list | Retrieve a list of Crashlytics issues |
| firebasecrashlytics.issues.update | Open, close, and mute existing Crashlytics issues Update notes attached to issues |
| firebasecrashlytics.sessions.get | Retrieve details about Crashlytics crash sessions |
| Permission name | Description |
|---|---|
| firebasecrash.issues.update | Update existing Crashlytics issues, create notes on issues, and set velocity alerts |
| firebasecrash.reports.get | Retrieve existing Crashlytics reports |
Firebase Dynamic Links permissions
| Permission name | Description |
|---|---|
| firebasedynamiclinks.domains.create | Create new Dynamic Links domains |
| firebasedynamiclinks.domains.delete | Delete existing Dynamic Links domains |
| firebasedynamiclinks.domains.get | Retrieve details of existing Dynamic Links domains |
| firebasedynamiclinks.domains.list | Retrieve a list of existing Dynamic Links domains |
| firebasedynamiclinks.domains.update | Update existing Dynamic Links domains |
| firebasedynamiclinks.links.create | Create new Dynamic Links |
| firebasedynamiclinks.links.get | Retrieve details of existing Dynamic Links |
| firebasedynamiclinks.links.list | Retrieve a list of existing Dynamic Links |
| firebasedynamiclinks.links.update | Update existing Dynamic Links |
| firebasedynamiclinks.stats.get | Retrieve Dynamic Links statistics |
| firebasedynamiclinks.destinations.list | Retrieve existing Dynamic Links destinations |
| firebasedynamiclinks.destinations.update | Update existing Dynamic Links destinations |
Firebase Extensions publishing permissions
| Permission name | Description |
|---|---|
| firebaseextensionspublisher.extensions.create | Upload new versions of an extension |
| firebaseextensionspublisher.extensions.delete | Delete or deprecate versions of an extension |
| firebaseextensionspublisher.extensions.get | Retrieve details about an extension version |
| firebaseextensionspublisher.extensions.list | List all extension versions uploaded by this publisher project |
Firebase Hosting permissions
| Permission name | Description |
|---|---|
| firebasehosting.sites.create | Create new Hosting resources for a Firebase project |
| firebasehosting.sites.delete | Delete existing Hosting resources for a Firebase project |
| firebasehosting.sites.get | Retrieve details of an existing Hosting resources for a Firebase project |
| firebasehosting.sites.list | Retrieve a list of Hosting resources for a Firebase project |
| firebasehosting.sites.update | Update existing Hosting resources for a Firebase project |
Firebase In-App Messaging permissions (beta)
| Permission name | Description |
|---|---|
| firebaseinappmessaging.campaigns.create | Create new campaigns |
| firebaseinappmessaging.campaigns.delete | Delete existing campaigns |
| firebaseinappmessaging.campaigns.get | Retrieve details of existing campaigns |
| firebaseinappmessaging.campaigns.list | Retrieve a list of existing campaigns |
| firebaseinappmessaging.campaigns.update | Update existing campaigns |
Firebase ML permissions (beta)
| Permission name | Description |
|---|---|
| firebaseml.models.create | Create new ML models |
| firebaseml.models.update | Update existing ML models |
| firebaseml.models.delete | Delete existing ML models |
| firebaseml.models.get | Retrieve details of existing ML models |
| firebaseml.models.list | Retrieve a list of existing ML models |
| firebaseml.modelversions.create | Create new model versions |
| firebaseml.modelversions.get | Retrieve details of existing model versions |
| firebaseml.modelversions.list | Retrieve a list of existing model versions |
| firebaseml.modelversions.update | Update existing model versions |
Firebase Performance Monitoring permissions
| Permission name | Description |
|---|---|
| firebaseperformance.config.create | Create new issue threshold configurations |
| firebaseperformance.config.delete | Delete existing issue threshold configurations |
| firebaseperformance.config.update | Modify alert and existing issue threshold configurations |
| firebaseperformance.data.get | View all performance data and issue threshold values |
Firebase Realtime Database permissions
| Permission name | Description |
|---|---|
| firebasedatabase.instances.create | Create new database instances |
| firebasedatabase.instances.get | Retrieve the metadata of existing database instances Read-only access to the data in an existing database instance |
| firebasedatabase.instances.list | Retrieve a list of existing database instances |
| firebasedatabase.instances.update | Full read and write access to the data in existing database instances Enable and disable database instances Retrieve and modify security rules for existing database instances |
| firebasedatabase.instances.disable | Disable active database instances Existing data is kept but is not accessible for reads/writes. |
| firebasedatabase.instances.reenable | Re-enable disabled database instances Existing data is again accessible for reads/writes. |
| firebasedatabase.instances.delete | Delete disabled database instances Deleted database names cannot be reused. The data in a deleted database instance is permanently deleted after 20 days. |
| firebasedatabase.instances.undelete | Undelete a deleted database instance before its data is permanently deleted The data in a deleted database instance is permanently deleted 20 days after the instance is deleted. |
Firebase Remote Config permissions
| Permission name | Description |
|---|---|
| cloudconfig.configs.get | Retrieve Remote Config data |
| cloudconfig.configs.update | Update Remote Config data |
Firebase Test Lab permissions
Test Lab requires access to Cloud Storage buckets, so it requires a specific configuration of permissions that aren't all included in the standard Firebase predefined roles . To grant access to Test Lab, use one of the following options:
For tests started from Firebase console
Test your app in a dedicated separate Firebase project.
Add members who need Test Lab access, then assign them legacy project roles using the Firebase console .
- To allow a member to run tests with Test Lab, assign project Editor or above.
- To allow a member to view test results in Test Lab, assign project Viewer or above.
For tests started from the gcloud CLI , the Testing API , or Gradle Managed Devices while using your own Cloud Storage bucket
Assign a pair of predefined roles (which together grant the required set of permissions) using the Google Cloud Console .
To allow a member to run tests with Test Lab, assign both:
- Firebase Test Lab Admin (
roles/cloudtestservice.testAdmin) - Firebase Analytics Viewer (
roles/firebase.analyticsViewer)
- Firebase Test Lab Admin (
To allow a member to view test results in Test Lab, assign both:
- Firebase Test Lab Viewer (
roles/cloudtestservice.testViewer) - Firebase Analytics Viewer (
roles/firebase.analyticsViewer)
- Firebase Test Lab Viewer (
| Permission name | Description |
|---|---|
| cloudtestservice.environmentcatalog.get | Retrieve the catalog of supported test environments for a project |
| cloudtestservice.matrices.create | Request to run a matrix of tests according to the given specifications |
| cloudtestservice.matrices.get | Retrieve the status of a test matrix |
| cloudtestservice.matrices.update | Update an unfinished test matrix |
| cloudtoolresults.executions.list | Retrieve a list of Executions for a History |
| cloudtoolresults.executions.get | Retrieve an existing Execution |
| cloudtoolresults.executions.create | Create a new Execution |
| cloudtoolresults.executions.update | Update an existing Execution |
| cloudtoolresults.histories.list | Retrieve a list of Histories |
| cloudtoolresults.histories.get | Retrieve an existing History |
| cloudtoolresults.histories.create | Create a new History |
| cloudtoolresults.settings.create | Create new tool results settings |
| cloudtoolresults.settings.get | Retrieve existing tool results settings |
| cloudtoolresults.settings.update | Update tool results settings |
| cloudtoolresults.steps.list | Retrieve a list of Steps for an Execution |
| cloudtoolresults.steps.get | Retrieve an existing Step |
| cloudtoolresults.steps.create | Create a new Step |
| cloudtoolresults.steps.update | Update an existing Step |
Integrations with external services permissions
| Permission name | Description |
|---|---|
| firebaseextensions.configs.create | Create new extension configurations for external services (Firebase console > Project Settings > Integrations) |
| firebaseextensions.configs.delete | Delete existing extension configurations for external services (Firebase console > Project Settings > Integrations) |
| firebaseextensions.configs.list | Retrieve a list of extension configurations for external services (Firebase console > Project Settings > Integrations) |
| firebaseextensions.configs.update | Update existing extension configurations for external services (Firebase console > Project Settings > Integrations) |