Permissions are granted to your project members via roles. A role is a collection of permissions. When you assign a role to a member, you grant that member all the permissions that the role contains.
This page describes the actions enabled by permissions that you might find listed in a Firebase-supported role. These permissions fall into two categories:
Required IAM permissions for all roles or for specific actions within Firebase
Required permissions
Firebase IAM includes permissions which are:
For a general list and description of permissions specific to a Firebase product or service, refer to the appropriate section within Firebase product-specific IAM permissions.
Required permissions included in all roles
The permissions listed in the following table are required to use any Firebase product or service.
These permissions are automatically included in each of the Firebase predefined roles.
| Permission | Description |
|---|---|
| firebaseanalytics.resources.googleAnalyticsReadAndAnalyze | Grants permission to view segments and data from Google Analytics |
| Grants permissions to retrieve Firebase project information | |
| Grants permissions to check for the state of Google APIs and to run Firebase CLI commands |
Required permissions for Firebase service-specific actions
The permissions listed in the following table are required to perform some Firebase service-specific actions.
When needed, these permissions are automatically included in each of the Firebase predefined roles.
| Action | Required permission |
|---|---|
| Subscribe to notification emails and in-console alerts from Firebase services | cloudnotifications.activities.list |
| Access Firebase project integrations with collaboration tools (including Slack, Jira, and PagerDuty) | firebaseextensions.configs.* |
| View usage and analytics from StackDriver | monitoring.timeSeries.list |
| Run
Firebase CLI
commands For more information, refer to the GCP documentation about Runtime Configurator Access. |
runtimeconfig.* |
Required permissions for Firebase management-specific actions
The permissions listed in the following table are additional permissions that are required to perform some Firebase management-specific actions.
| Management permission and associated actions | Required additional permission |
|---|---|
firebase.billingPlans.update | |
| Change the billing plan for a Firebase project | resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment |
firebase.clients.create | |
| Add Firebase apps to a Firebase project | clientauthconfig.clients.create clientauthconfig.clients.get clientauthconfig.clients.list serviceusage.apikeys.create serviceusage.apikeys.get serviceusage.apikeys.list serviceusage.apikeys.update serviceusage.services.enable |
firebase.clients.get | |
| Download the Firebase configuration file | clientauthconfig.clients.get clientauthconfig.clients.list |
firebase.projects.delete | |
| Delete a Firebase project | resourcemanager.projects.delete |
firebase.projects.update | |
| Change the name of a Firebase project | resourcemanager.projects.update |
| Add SHA certificate fingerprints for Android apps | clientauthconfig.clients.create |
| Remove SHA certificate fingerprints for Android apps | clientauthconfig.clients.delete |
| Update App Store ID or Team ID for iOS apps | clientauthconfig.clients.get clientauthconfig.clients.update |
Firebase product-specific IAM permissions
The following tables list the permissions that are specific to a Firebase product or service. You can use these permissions to create custom roles.
Firebase Management permissions
Note that some of the following management permissions require additional permissions for certain actions.
| Permission name | Description |
|---|---|
| firebase.billingPlans.get | Retrieve the current Firebase Billing Plan for a project |
| firebase.billingPlans.update | Change the current Firebase Billing Plan for a project |
| firebase.clients.create | Add new apps to a project |
| firebase.clients.delete | Delete existing apps from a project |
| firebase.clients.get | Retrieve a list of apps in a project |
| firebase.links.create | Create new links to Google systems
(Firebase console > Project Settings > Integrations) |
| firebase.links.delete | Delete links to Google systems
(Firebase console > Project Settings > Integrations) |
| firebase.links.list | Retrieve a list of links to Google systems
(Firebase console > Project Settings > Integrations) |
| firebase.links.update | Update existing links to Google systems
(Firebase console > Project Settings > Integrations) |
| firebase.projects.delete | Delete existing projects |
| firebase.projects.get | Retrieve details and Firebase resources for a project |
| firebase.projects.list | Retrieve a list of Firebase projects |
| firebase.projects.update | Modify the attributes of an existing project |
Firebase App Distribution permissions (beta)
| Permission name | Description |
|---|---|
| firebaseappdistro.releases.list | Retrieve a list of existing distributions and Invite Links |
| firebaseappdistro.releases.update | Create, delete, and modify distributions Create and delete Invite Links |
| firebaseappdistro.testers.list | Retrieve a list of existing testers in a project |
| firebaseappdistro.testers.update | Create and delete testers in a project |
| firebaseappdistro.groups.list | Retrieve a list of existing tester groups in a project |
| firebaseappdistro.groups.update | Create and delete tester groups in a project |
Google Analytics permissions
| Permission name | Description |
|---|---|
| firebaseanalytics.resources.googleAnalyticsEdit | Modify existing Analytics data, including audiences, user properties,
funnels, reporting parameters, conversions, and postbacks
For more information, see Analytics Help. |
| firebaseanalytics.resources.googleAnalyticsReadAndAnalyze | View existing Analytics data, including reports and configuration
data
Manipulate data within reports (for example, filters) For more information, see Analytics Help. |
Firebase Authentication permissions
| Permission name | Description |
|---|---|
| firebaseauth.configs.create | Create the Authentication configuration |
| firebaseauth.configs.get | Retrieve the Authentication configuration |
| firebaseauth.configs.getHashConfig | Get the password hash config and password hash of user accounts |
| firebaseauth.configs.update | Update the existing Authentication configuration |
| firebaseauth.users.create | Create new users in Authentication |
| firebaseauth.users.createSession | Create session cookie for a logged-in user |
| firebaseauth.users.delete | Delete existing users in Authentication |
| firebaseauth.users.get | Retrieve a list of existing Authentication users |
| firebaseauth.users.sendEmail | Send emails to the users |
| firebaseauth.users.update | Update existing users in Authentication |
Firebase A/B Testing permissions (beta)
| Permission name | Description |
|---|---|
| firebaseabt.experimentresults.get | Retrieve the results of an experiment |
| firebaseabt.experiments.create | Create new experiments |
| firebaseabt.experiments.delete | Delete existing experiments |
| firebaseabt.experiments.get | Retrieve details of an existing experiment |
| firebaseabt.experiments.list | Retrieve a list of existing experiments |
| firebaseabt.experiments.update | Update an existing experiment |
| firebaseabt.projectmetadata.get | Retrieve analytics metadata for setting up an experiment |
Cloud Firestore permissions
For a list and descriptions of Cloud Firestore permissions, refer to the GCP documentation.
Cloud Storage permissions
For a list and descriptions of Cloud Storage permissions, refer to the GCP documentation.
Firebase Security Rules (Cloud Firestore and Cloud Storage) permissions
| Permission name | Description |
|---|---|
| firebaserules.releases.create | Create releases |
| firebaserules.releases.delete | Delete releases |
| firebaserules.releases.get | Retrieve releases |
| firebaserules.releases.getExecutable | Retrieve the binary executable payloads for releases |
| firebaserules.releases.list | Retrieve a list of releases |
| firebaserules.releases.update | Update ruleset references for releases |
| firebaserules.rulesets.create | Create new rulesets |
| firebaserules.rulesets.delete | Delete existing ruleset |
| firebaserules.rulesets.get | Retrieve rulesets with source |
| firebaserules.rulesets.list | Find ruleset metadata (no source) |
| firebaserules.rulesets.test | Test sources for correctness |
Cloud Functions for Firebase permissions
For a list and descriptions of Cloud Functions permissions, refer to the GCP documentation.
Note that the deployment of functions requires a specific configuration of permissions that aren't included in the standard Firebase predefined roles. To deploy functions, use one of the following options:
Delegate the deployment of Cloud Functions to a project member assigned a primitive role of Owner or Editor.
Assign a member the Firebase Develop Admin predefined role (
roles/firebase.developAdmin) using the Firebase console. Then, using the GCP Console or GCloud, also assign the member a service account user role (for detailed steps and security implications for this role configuration, refer to the GCP documentation).
Firebase Cloud Messaging permissions
| Permission name | Description |
|---|---|
| cloudmessaging.messages.create | Send notifications and data messages through the FCM HTTP API and AdminSDK |
| firebasenotifications.messages.create | Create new messages in the Notifications composer |
| firebasenotifications.messages.delete | Delete existing messages in the Notifications composer |
| firebasenotifications.messages.get | Retrieve details of existing messages in the Notifications composer |
| firebasenotifications.messages.list | Retrieve a list of existing messages in the Notifications composer |
| firebasenotifications.messages.update | Update existing messages in the Notifications composer |
Firebase Crashlytics permissions
| Permission name | Description |
|---|---|
| firebasecrashlytics.config.get | Retrieve Crashlytics configuration settings |
| firebasecrashlytics.config.update | Update Crashlytics configuration settings |
| firebasecrashlytics.data.get | Retrieve metrics associated with Crashlytics issues and sessions |
| firebasecrashlytics.issues.get | Retrieve details about Crashlytics issues, including notes attached to issues |
| firebasecrashlytics.issues.list | Retrieve a list of Crashlytics issues |
| firebasecrashlytics.issues.update | Open, close, and mute existing Crashlytics issues Update notes attached to issues |
| firebasecrashlytics.sessions.get | Retrieve details about Crashlytics crash sessions |
| firebasecrashlytics.sessions.list | Retrieve a list of Crashlytics crash sessions |
| Permission name | Description |
|---|---|
| firebasecrash.issues.update | Update existing Crashlytics issues, create notes on issues, and set velocity alerts |
| firebasecrash.reports.get | Retrieve existing Crashlytics reports |
Firebase Dynamic Links permissions
| Permission name | Description |
|---|---|
| firebasedynamiclinks.domains.create | Create new Dynamic Links domains |
| firebasedynamiclinks.domains.delete | Delete existing Dynamic Links domains |
| firebasedynamiclinks.domains.get | Retrieve details of existing Dynamic Links domains |
| firebasedynamiclinks.domains.list | Retrieve a list of existing Dynamic Links domains |
| firebasedynamiclinks.domains.update | Update existing Dynamic Links domains |
| firebasedynamiclinks.links.create | Create new Dynamic Links |
| firebasedynamiclinks.links.get | Retrieve details of existing Dynamic Links |
| firebasedynamiclinks.links.list | Retrieve a list of existing Dynamic Links |
| firebasedynamiclinks.links.update | Update existing Dynamic Links |
| firebasedynamiclinks.stats.get | Retrieve Dynamic Links statistics |
| firebasedynamiclinks.destinations.list | Retrieve existing Dynamic Links destinations |
| firebasedynamiclinks.destinations.update | Update existing Dynamic Links destinations |
Firebase Hosting permissions
| Permission name | Description |
|---|---|
| firebasehosting.sites.create | Create new Hosting resources (domains, versions, releases) |
| firebasehosting.sites.delete | Delete existing Hosting resources (domains, versions) |
| firebasehosting.sites.get | Retrieve details of an existing Hosting resource (domains, versions, releases) |
| firebasehosting.sites.list | Retrieve a list of Hosting resources (domains, versions, releases) |
| firebasehosting.sites.update | Update existing Hosting resources (domains, versions, releases) |
Firebase In-App Messaging permissions (beta)
| Permission name | Description |
|---|---|
| firebaseinappmessaging.campaigns.create | Create new campaigns |
| firebaseinappmessaging.campaigns.delete | Delete existing campaigns |
| firebaseinappmessaging.campaigns.get | Retrieve details of existing campaigns |
| firebaseinappmessaging.campaigns.list | Retrieve a list of existing campaigns |
| firebaseinappmessaging.campaigns.update | Update existing campaigns |
ML Kit for Firebase permissions (beta)
| Permission name | Description |
|---|---|
| firebaseml.compressionjobs.create | Create new compression jobs |
| firebaseml.compressionjobs.delete | Delete existing compression jobs |
| firebaseml.compressionjobs.get | Retrieve details of existing compression jobs |
| firebaseml.compressionjobs.list | Retrieve a list of existing compression jobs |
| firebaseml.compressionjobs.start | Start compression jobs |
| firebaseml.compressionjobs.update | Update existing compression jobs |
| firebaseml.models.create | Create new ML models |
| firebaseml.models.delete | Delete existing ML models |
| firebaseml.models.get | Retrieve details of existing ML models |
| firebaseml.models.list | Retrieve a list of existing ML models |
| firebaseml.modelversions.create | Create new model versions |
| firebaseml.modelversions.get | Retrieve details of existing model versions |
| firebaseml.modelversions.list | Retrieve a list of existing model versions |
| firebaseml.modelversions.update | Update existing model versions |
Firebase Performance Monitoring permissions
| Permission name | Description |
|---|---|
| firebaseperformance.config.create | Create new issue threshold configurations |
| firebaseperformance.config.delete | Delete existing issue threshold configurations |
| firebaseperformance.config.update | Modify existing issue threshold configurations |
| firebaseperformance.data.get | View all performance data and issue threshold values |
Firebase Predictions permissions
| Permission name | Description |
|---|---|
| firebasepredictions.predictions.create | Create new predictions |
| firebasepredictions.predictions.delete | Delete existing predictions |
| firebasepredictions.predictions.list | Retrieve a list of existing predictions |
| firebasepredictions.predictions.update | Update existing predictions |
Firebase Realtime Database permissions
| Permission name | Description |
|---|---|
| firebasedatabase.instances.create | Create new database instances |
| firebasedatabase.instances.get | Read-only access to the data in the database |
| firebasedatabase.instances.list | Retrieve a list of existing database instances |
| firebasedatabase.instances.update | Update existing database instances
Enable and disable database instances Write access to the data in the database Retrieve and modify security rules for the database Retrieve and modify Cloud Functions triggers for the database |
Firebase Remote Config permissions
| Permission name | Description |
|---|---|
| cloudconfig.configs.get | Retrieve Remote Config data |
| cloudconfig.configs.update | Update Remote Config data |
Firebase Test Lab permissions
Test Lab requires access to Cloud Storage buckets, so it requires a specific configuration of permissions that aren't all included in the standard Firebase predefined roles. To grant access to Test Lab, use one of the following options:
For tests started from Firebase console
Test your app in a dedicated separate Firebase project.
Add members who need Test Lab access, then assign them legacy project roles using the Firebase console.
- To allow a member to run tests with Test Lab, assign project Editor or above.
- To allow a member to view test results in Test Lab, assign project Viewer or above.
For tests started from gcloud CLI or Testing API while using your own Cloud Storage bucket
Assign a pair of predefined roles (which together grant the required set of permissions) using the GCP console.*
To allow a member to run tests with Test Lab, assign both:
- Firebase Test Lab Admin (
roles/cloudtestservice.testAdmin) - Firebase Analytics Viewer (
roles/firebase.analyticsViewer)
- Firebase Test Lab Admin (
To allow a member to view test results in Test Lab, assign both:
- Firebase Test Lab Viewer (
roles/cloudtestservice.testViewer) - Firebase Analytics Viewer (
roles/firebase.analyticsViewer)
- Firebase Test Lab Viewer (
| Permission name | Description |
|---|---|
| cloudtestservice.environmentcatalog.get | Retrieve the catalog of supported test environments for a project |
| cloudtestservice.matrices.create | Request to run a matrix of tests according to the given specifications |
| cloudtestservice.matrices.get | Retrieve the status of a test matrix |
| cloudtestservice.matrices.update | Update an unfinished test matrix |
| cloudtoolresults.executions.list | Retrieve a list of Executions for a History |
| cloudtoolresults.executions.get | Retrieve an existing Execution |
| cloudtoolresults.executions.create | Create a new Execution |
| cloudtoolresults.executions.update | Update an existing Execution |
| cloudtoolresults.histories.list | Retrieve a list of Histories |
| cloudtoolresults.histories.get | Retrieve an existing History |
| cloudtoolresults.histories.create | Create a new History |
| cloudtoolresults.settings.create | Create new tool results settings |
| cloudtoolresults.settings.get | Retrieve existing tool results settings |
| cloudtoolresults.settings.update | Update tool results settings |
| cloudtoolresults.steps.list | Retrieve a list of Steps for an Execution |
| cloudtoolresults.steps.get | Retrieve an existing Step |
| cloudtoolresults.steps.create | Create a new Step |
| cloudtoolresults.steps.update | Update an existing Step |
Integrations with external services permissions
| Permission name | Description |
|---|---|
| firebaseextensions.configs.create | Create new extension configurations for external services
(Firebase console > Project Settings > Integrations) |
| firebaseextensions.configs.delete | Delete existing extension configurations for external services
(Firebase console > Project Settings > Integrations) |
| firebaseextensions.configs.list | Retrieve a list of extension configurations for external services
(Firebase console > Project Settings > Integrations) |
| firebaseextensions.configs.update | Update existing extension configurations for external services
(Firebase console > Project Settings > Integrations) |