Firebase product-level predefined roles

These roles grant full read/write or read-only access to specific Firebase products.

Assign these roles to project members using the Google Cloud console.

Firebase App Check roles

Role Description Permissions
Firebase App Check Admin
roles/firebaseappcheck.admin
Full read/write access to
App Check resources
firebaseappcheck.appAttestConfig.get
firebaseappcheck.appAttestConfig.update
firebaseappcheck.appCheckTokens.verify
firebaseappcheck.debugTokens.get
firebaseappcheck.debugTokens.update
firebaseappcheck.deviceCheckConfig.get
firebaseappcheck.deviceCheckConfig.update
firebaseappcheck.playIntegrityConfig.get
firebaseappcheck.playIntegrityConfig.update
firebaseappcheck.recaptchaEnterpriseConfig.get
firebaseappcheck.recaptchaEnterpriseConfig.update
firebaseappcheck.recaptchaV3Config.get
firebaseappcheck.recaptchaV3Config.update
firebaseappcheck.safetyNetConfig.get
firebaseappcheck.safetyNetConfig.update
firebaseappcheck.services.get
firebaseappcheck.services.update
Firebase App Check Viewer
roles/firebaseappcheck.viewer
Read-only access to
App Check resources
firebaseappcheck.appAttestConfig.get
firebaseappcheck.debugTokens.get
firebaseappcheck.deviceCheckConfig.get
firebaseappcheck.playIntegrityConfig.get
firebaseappcheck.recaptchaEnterpriseConfig.get
firebaseappcheck.recaptchaV3Config.get
firebaseappcheck.safetyNetConfig.get
firebaseappcheck.services.get
Firebase App Check Token Verifier
roles/firebaseappcheck.tokenVerifier
Access to token verification capabilities for App Check
firebaseappcheck.appCheckTokens.verify

Firebase App Distribution roles

Role Description Permissions
Firebase App Distribution Admin
roles/firebaseappdistro.admin
Full read/write access to
App Distribution resources
firebaseappdistro.releases.list
firebaseappdistro.releases.update
firebaseappdistro.testers.list
firebaseappdistro.testers.update
firebaseappdistro.groups.list
firebaseappdistro.groups.update
Firebase App Distribution Viewer
roles/firebaseappdistro.viewer
Read-only access to
App Distribution resources
firebaseappdistro.releases.list
firebaseappdistro.testers.list
firebaseappdistro.groups.list

Firebase App Hosting roles

Role Description Permissions
Firebase App Hosting Compute Runner
roles/firebaseapphosting.computeRunner
Minimal access required to build and run App Hosting backends. Typically granted to service accounts.
Firebase App Hosting Admin
roles/firebaseapphosting.admin
Full read/write access to
App Hosting resources
firebaseapphosting.backends.create
firebaseapphosting.backends.delete
firebaseapphosting.backends.get
firebaseapphosting.backends.list
firebaseapphosting.backends.update
firebaseapphosting.builds.create
firebaseapphosting.builds.delete
firebaseapphosting.builds.get
firebaseapphosting.builds.list
firebaseapphosting.builds.update
firebaseapphosting.domains.create
firebaseapphosting.domains.delete
firebaseapphosting.domains.get
firebaseapphosting.domains.list
firebaseapphosting.domains.update
firebaseapphosting.locations.get
firebaseapphosting.locations.list
firebaseapphosting.operations.cancel
firebaseapphosting.operations.delete
firebaseapphosting.operations.get
firebaseapphosting.operations.list
firebaseapphosting.rollouts.create
firebaseapphosting.rollouts.delete
firebaseapphosting.rollouts.get
firebaseapphosting.rollouts.list
firebaseapphosting.rollouts.update
firebaseapphosting.traffic.get
firebaseapphosting.traffic.list
firebaseapphosting.traffic.update
Firebase App Hosting Viewer
roles/firebaseapphosting.viewer
Read-only access to
App Hosting resources
firebaseapphosting.backends.get
firebaseapphosting.backends.list
firebaseapphosting.builds.get
firebaseapphosting.builds.list
firebaseapphosting.domains.get
firebaseapphosting.domains.list
firebaseapphosting.locations.get
firebaseapphosting.locations.list
firebaseapphosting.operations.list
firebaseapphosting.operations.get
firebaseapphosting.rollouts.get
firebaseapphosting.rollouts.list
firebaseapphosting.traffic.get
firebaseapphosting.traffic.list
Firebase App Hosting Developer
roles/firebaseapphosting.developer
Full read/write access to
App Hosting backends, builds, and releases resources.
firebaseapphosting.backends.update
firebaseapphosting.builds.create
firebaseapphosting.builds.delete
firebaseapphosting.builds.update
firebaseapphosting.operations.delete
firebaseapphosting.operations.cancel
firebaseapphosting.rollouts.create
firebaseapphosting.rollouts.delete
firebaseapphosting.rollouts.update
firebaseapphosting.traffic.update

Firebase Authentication roles

Role Description Permissions
Firebase Authentication Admin
roles/firebaseauth.admin
Full read/write access to
Authentication resources
firebaseauth.configs.create
firebaseauth.configs.get
firebaseauth.configs.getHashConfig
firebaseauth.configs.getSecret
firebaseauth.configs.update
firebaseauth.users.create
firebaseauth.users.createSession
firebaseauth.users.delete
firebaseauth.users.get
firebaseauth.users.sendEmail
firebaseauth.users.update
Firebase Authentication Viewer
roles/firebaseauth.viewer
Read-only access to
Authentication resources
firebaseauth.configs.get
firebaseauth.users.get

Firebase A/B Testing roles (beta)

Role Description Permissions
Firebase A/B Testing Admin
roles/firebaseabt.admin
(beta)
Full read/write access to
A/B Testing resources
firebaseabt.experimentresults.get
firebaseabt.experiments.create
firebaseabt.experiments.delete
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.experiments.update
firebaseabt.projectmetadata.get
Firebase A/B Testing Viewer
roles/firebaseabt.viewer
(beta)
Read-only access to
A/B Testing resources
firebaseabt.experimentresults.get
firebaseabt.experiments.get
firebaseabt.experiments.list
firebaseabt.projectmetadata.get

Cloud Firestore roles

Find available Cloud Firestore roles in the Google Cloud documentation.

To allow a project member to edit and publish security rules in the Firebase console or to deploy security rules via the Firebase CLI, you can create then assign them a custom role that includes the firebaserules.* permissions.

Cloud Storage roles

Find available Cloud Storage roles in the Google Cloud documentation.

To allow a project member to edit and publish security rules in the Firebase console or to deploy security rules via the Firebase CLI, you can create then assign them a custom role that includes the firebaserules.* permissions.

Cloud Functions for Firebase roles

Find available Cloud Functions for Firebase roles in the Google Cloud documentation.

Firebase messaging campaigns roles

These roles apply to campaigns for Firebase Cloud Messaging and Firebase In-App Messaging.

Role Description Permissions
Firebase messaging campaigns Admin
roles/firebasemessagingcampaigns.admin
Full read/write access to
campaigns resources for Cloud Messaging and In-App Messaging
firebasemessagingcampaigns.campaigns.create
firebasemessagingcampaigns.campaigns.delete
firebasemessagingcampaigns.campaigns.get
firebasemessagingcampaigns.campaigns.list
firebasemessagingcampaigns.campaigns.update
firebasemessagingcampaigns.campaigns.start
firebasemessagingcampaigns.campaigns.stop
Firebase messaging campaigns Viewer
roles/firebasemessagingcampaigns.viewer
Read-only access to
campaigns resources for Cloud Messaging and In-App Messaging
firebasemessagingcampaigns.campaigns.get
firebasemessagingcampaigns.campaigns.list

Firebase Cloud Messaging roles

Role Description Permissions
Firebase Cloud Messaging Admin
roles/firebasenotifications.admin
Full read/write access to
Cloud Messaging resources
firebasenotifications.messages.create
firebasenotifications.messages.delete
firebasenotifications.messages.get
firebasenotifications.messages.list
firebasenotifications.messages.update
Firebase Cloud Messaging Viewer
roles/firebasenotifications.viewer
Read-only access to
Cloud Messaging resources
firebasenotifications.messages.get
firebasenotifications.messages.list

Firebase Crashlytics roles

Role Description Permissions
Firebase Crashlytics Admin
roles/firebasecrashlytics.admin
Full read/write access to
Crashlytics resources
firebasecrashlytics.config.get
firebasecrashlytics.config.update
firebasecrashlytics.data.get
firebasecrashlytics.issues.get
firebasecrashlytics.issues.list
firebasecrashlytics.issues.update
firebasecrashlytics.sessions.get
Firebase Crashlytics Viewer
roles/firebasecrashlytics.viewer
Read-only access to
Crashlytics resources
firebasecrashlytics.config.get
firebasecrashlytics.data.get
firebasecrashlytics.issues.get
firebasecrashlytics.issues.list
firebasecrashlytics.sessions.get
Role Description Permissions
Firebase Dynamic Links Admin
roles/firebasedynamiclinks.admin
Full read/write access to
Dynamic Links resources
firebasedynamiclinks.destinations.list
firebasedynamiclinks.destinations.update
firebasedynamiclinks.domains.create
firebasedynamiclinks.domains.delete
firebasedynamiclinks.domains.get
firebasedynamiclinks.domains.list
firebasedynamiclinks.domains.update
firebasedynamiclinks.links.create
firebasedynamiclinks.links.get
firebasedynamiclinks.links.list
firebasedynamiclinks.links.update
firebasedynamiclinks.stats.get
Firebase Dynamic Links Viewer
roles/firebasedynamiclinks.viewer
Read-only access to
Dynamic Links resources
firebasedynamiclinks.destinations.list
firebasedynamiclinks.domains.get
firebasedynamiclinks.domains.list
firebasedynamiclinks.links.get
firebasedynamiclinks.links.list
firebasedynamiclinks.stats.get

Firebase Extensions publisher roles

Role Description Permissions
Firebase Extensions Publisher - Extensions Admin
roles/firebaseextensionspublisher.extensionsAdmin
(beta)
Upload, publish, and view details and metrics for
Firebase Extensions
firebaseextensionspublisher.extensions.create
firebaseextensionspublisher.extensions.delete
firebaseextensionspublisher.extensions.get
firebaseextensionspublisher.extensions.list
Firebase Extensions Publisher - Extensions Viewer
roles/firebaseextensionspublisher.extensionsViewer
(beta)
View details and metrics for
Firebase Extensions uploaded by this publisher
firebaseextensionspublisher.extensions.get
firebaseextensionspublisher.extensions.list

Firebase Hosting roles

Role Description Permissions
Firebase Hosting Admin
roles/firebasehosting.admin
Full read/write access to
Hosting resources
firebasehosting.sites.create
firebasehosting.sites.delete
firebasehosting.sites.get
firebasehosting.sites.list
firebasehosting.sites.update
Firebase Hosting Viewer
roles/firebasehosting.viewer
Read-only access to
Hosting resources
firebasehosting.sites.get
firebasehosting.sites.list

Firebase In-App Messaging roles (beta)

Role Description Permissions
Firebase In-App Messaging Admin
roles/firebaseinappmessaging.admin
(beta)
Full read/write access to
In-App Messaging resources
firebaseinappmessaging.campaigns.create
firebaseinappmessaging.campaigns.delete
firebaseinappmessaging.campaigns.get
firebaseinappmessaging.campaigns.list
firebaseinappmessaging.campaigns.update
Firebase In-App Messaging Viewer
roles/firebaseinappmessaging.viewer
(beta)
Read-only access to
In-App Messaging resources
firebaseinappmessaging.campaigns.get
firebaseinappmessaging.campaigns.list

Firebase ML roles (beta)

Role Description Permissions
Firebase ML Admin
roles/firebaseml.admin
(beta)
Full read/write access to
Firebase ML resources
firebaseml.models.create
firebaseml.models.get
firebaseml.models.list
firebaseml.models.update
firebaseml.models.delete
firebaseml.modelversions.create
firebaseml.modelversions.get
firebaseml.modelversions.list
firebaseml.modelversions.update
firebaseml.modelversions.delete
firebaseml.compressionjobs.create
firebaseml.compressionjobs.get
firebaseml.compressionjobs.list
firebaseml.compressionjobs.update
firebaseml.compressionjobs.delete
firebaseml.compressionjobs.start
Firebase ML Viewer
roles/firebaseml.viewer
(beta)
Read-only access to
Firebase ML resources
firebaseml.models.get
firebaseml.models.list
firebaseml.modelversions.get
firebaseml.modelversions.list
firebaseml.compressionjobs.get
firebaseml.compressionjobs.list

Firebase Performance Monitoring roles

Role Description Permissions
Firebase Performance Monitoring Admin
roles/firebaseperformance.admin
Full read/write access to
Performance Monitoring resources

Configure and receive Performance Monitoring alerts
firebaseperformance.config.create
firebaseperformance.config.delete
firebaseperformance.config.update
firebaseperformance.data.get
Firebase Performance Monitoring Viewer
roles/firebaseperformance.viewer
Read-only access to
Performance Monitoring resources
firebaseperformance.data.get

Firebase Realtime Database roles

Role Description Permissions
Firebase Realtime Database Admin
roles/firebasedatabase.admin
Full read/write access to
Realtime Database resources
firebasedatabase.instances.create
firebasedatabase.instances.get
firebasedatabase.instances.list
firebasedatabase.instances.update
Firebase Realtime Database Viewer
roles/firebasedatabase.viewer
Read-only access to
Realtime Database resources
firebasedatabase.instances.get
firebasedatabase.instances.list

Firebase Remote Config roles

Role Description Permissions
Firebase Remote Config Admin
roles/cloudconfig.admin
Full read/write access to
Remote Config resources
cloudconfig.configs.get cloudconfig.configs.update
Firebase Remote Config Viewer
roles/cloudconfig.viewer
Read-only access to
Remote Config resources
cloudconfig.configs.get

Firebase Test Lab roles

Firebase Test Lab requires access to Cloud Storage buckets, so it requires a very specific set of permissions that aren't all included in the standard Firebase predefined roles. To grant access to Test Lab, use one of the solutions described in the Firebase Test Lab permissions section.

Developer documentation for Firebase

Updated Feb 20, 2025

Developer documentation for Firebase

Updated Feb 20, 2025

Developer documentation for Firebase

Updated Feb 20, 2025