Permissions are granted to your project members via roles. A role is a collection of permissions. When you assign a role to a project member, you grant that project member all the permissions that the role contains.
This page describes the actions enabled by permissions that you might find listed in a Firebase-supported role. These permissions fall into two categories:
Required Identity and Access Management (IAM) permissions for all roles or for specific actions within Firebase
Required permissions
Firebase IAM includes permissions which are:
For a general list and description of permissions specific to a Firebase product or service, refer to the appropriate section within Firebase product-specific IAM permissions.
Required permissions included in all roles
The permissions listed in the following table are required to use any Firebase product or service.
These permissions are automatically included in each of the Firebase predefined roles.
| Permission | Description |
|---|---|
| Grants permissions to retrieve Firebase project information | |
| Grants permissions to retrieve Firebase project information | |
| Grants permissions to check for the state of Google APIs and to run Firebase CLI commands |
Required permissions for Firebase service-specific actions
The permissions listed in the following table are required to perform some Firebase service-specific actions.
When needed, these permissions are automatically included in each of the Firebase predefined roles.
| Action | Required permission |
|---|---|
| Access Firebase project integrations with collaboration tools (including Slack, Jira, and PagerDuty) | firebaseextensions.configs.* |
| View usage and analytics from StackDriver | monitoring.timeSeries.list |
| Run
Firebase CLI
commands For more information, refer to the Google Cloud documentation about Runtime Configurator Access. |
runtimeconfig.* |
Required permissions for Firebase management-specific actions
The permissions listed in the following table are additional permissions that are required to perform some Firebase management-specific actions.
| Management permission and associated actions | Required additional permission |
|---|---|
firebase.billingPlans.update | |
| Change the billing plan for a Firebase project | resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment |
firebase.projects.delete | |
| Delete a Firebase project | resourcemanager.projects.delete |
firebase.projects.update | |
| Add Firebase resources to an existing Google Cloud project | resourcemanager.projects.get serviceusage.services.enable serviceusage.services.get |
| Change the name of a Firebase project | resourcemanager.projects.update |
| Add SHA certificate fingerprints for Android apps | clientauthconfig.clients.create |
| Remove SHA certificate fingerprints for Android apps | clientauthconfig.clients.delete |
| Update App Store ID or Team ID for Apple apps | clientauthconfig.clients.get clientauthconfig.clients.update |
Firebase product-specific IAM permissions
The following tables list the permissions that are specific to a Firebase product or service. You can use these permissions to create custom roles.
Firebase Management permissions
Note that some of the following management permissions require additional permissions for certain actions.
| Permission name | Description |
|---|---|
| firebase.billingPlans.get | Retrieve the current Firebase billing plan for a project |
| firebase.billingPlans.update | Change the current Firebase billing plan for a project |
| firebase.clients.create | Add new apps to a project |
| firebase.clients.delete | Delete existing apps from a project |
| firebase.clients.get | Retrieve details and configurations for apps in a project |
| firebase.clients.list | Retrieve a list of apps in a project |
| firebase.clients.undelete | Undelete a deleted app before its data is permanently deleted |
| firebase.clients.update | Update details and configurations for apps in a project |
| firebase.links.create | Create new links to Google systems
(Firebase console > Project Settings > Integrations) |
| firebase.links.delete | Delete links to Google systems
(Firebase console > Project Settings > Integrations) |
| firebase.links.list | Retrieve a list of links to Google systems
(Firebase console > Project Settings > Integrations) |
| firebase.links.update | Update existing links to Google systems
(Firebase console > Project Settings > Integrations) |
| firebase.playLinks.get | Retrieve details about a link to Google Play
(Firebase console > Project Settings > Integrations > Google Play) |
| firebase.playLinks.list | Retrieve a list of links to Google Play
(Firebase console > Project Settings > Integrations > Google Play) |
| firebase.playLinks.update | Create new links and update existing links to Google Play
(Firebase console > Project Settings > Integrations > Google Play) |
| firebase.projects.delete | Delete existing projects |
| firebase.projects.get | Retrieve details and Firebase resources for a project |
| firebase.projects.update | Modify the attributes of an existing project Receive alerts for applicable Firebase products and features (learn more) |
| firebaseinstallations.instances.delete | Delete a Firebase installation ID and the data tied to that installation (learn more) |
Google Analytics permissions
The following permissions grant access to the Analytics property linked to the Firebase project. They allow Firebase project members to access Analytics data, including audiences, user properties, funnels, reports, conversions, etc.
| Permission name | Description |
|---|---|
| firebaseanalytics.resources.googleAnalyticsEdit | By default, grants the Analytics Editor role to the linked Analytics property |
| firebaseanalytics.resources.googleAnalyticsAdditionalAccess | By default, grants the Analytics Marketer role to the linked Analytics property |
| firebaseanalytics.resources.googleAnalyticsReadAndAnalyze | By default, grants the Analytics Viewer role to the linked Analytics property |
| firebaseanalytics.resources.googleAnalyticsRestrictedAccess | By default, grants the Analytics Viewer role to the linked Analytics property with no access to revenue data and cost data |
Firebase App Check permissions
| Permission name | Description |
|---|---|
| firebaseappcheck.appAttestConfig.get | Retrieve the App Attest configuration of an app |
| firebaseappcheck.appAttestConfig.update | Update the App Attest configuration of an app |
| firebaseappcheck.appCheckTokens.verify | Verify App Check tokens issued for a Firebase project |
| firebaseappcheck.debugTokens.get | Retrieve debug tokens of an app |
| firebaseappcheck.debugTokens.update | Create, update, or delete debug tokens of an app |
| firebaseappcheck.deviceCheckConfig.get | Retrieve the DeviceCheck configuration of an app |
| firebaseappcheck.deviceCheckConfig.update | Update the DeviceCheck configuration of an app |
| firebaseappcheck.playIntegrityConfig.get | Retrieve the Play Integrity configuration of an app |
| firebaseappcheck.playIntegrityConfig.update | Update the Play Integrity configuration of an app |
| firebaseappcheck.recaptchaEnterpriseConfig.get | Retrieve the reCAPTCHA Enterprise configuration of an app |
| firebaseappcheck.recaptchaEnterpriseConfig.update | Update the reCAPTCHA Enterprise configuration of an app |
| firebaseappcheck.recaptchaV3Config.get | Retrieve the reCAPTCHA v3 configuration of an app |
| firebaseappcheck.recaptchaV3Config.update | Update the reCAPTCHA v3 configuration of an app |
| firebaseappcheck.safetyNetConfig.get | Retrieve the SafetyNet configuration of an app |
| firebaseappcheck.safetyNetConfig.update | Update the SafetyNet configuration of an app |
| firebaseappcheck.services.get | Retrieve service enforcement configurations of a project |
| firebaseappcheck.services.update | Update service enforcement configurations of a project |
Firebase App Distribution permissions
| Permission name | Description |
|---|---|
| firebaseappdistro.releases.list | Retrieve a list of existing distributions and Invite Links |
| firebaseappdistro.releases.update | Create, delete, and modify distributions Create and delete Invite Links |
| firebaseappdistro.testers.list | Retrieve a list of existing testers in a project |
| firebaseappdistro.testers.update | Create and delete testers in a project |
| firebaseappdistro.groups.list | Retrieve a list of existing tester groups in a project |
| firebaseappdistro.groups.update | Create and delete tester groups in a project |
Firebase Authentication permissions
| Permission name | Description |
|---|---|
| firebaseauth.configs.create | Create the Authentication configuration |
| firebaseauth.configs.get | Retrieve the Authentication configuration |
| firebaseauth.configs.getHashConfig | Get the password hash config and password hash of user accounts |
| firebaseauth.configs.getSecret | Get the client secret in the Authentication configuration |
| firebaseauth.configs.update | Update the existing Authentication configuration |
| firebaseauth.users.create | Create new users in Authentication |
| firebaseauth.users.createSession | Create session cookie for a logged-in user |
| firebaseauth.users.delete | Delete existing users in Authentication |
| firebaseauth.users.get | Retrieve a list of existing Authentication users |
| firebaseauth.users.sendEmail | Send emails to the users |
| firebaseauth.users.update | Update existing users in Authentication |
Firebase A/B Testing permissions (beta)
| Permission name | Description |
|---|---|
| firebaseabt.experimentresults.get | Retrieve the results of an experiment |
| firebaseabt.experiments.create | Create new experiments |
| firebaseabt.experiments.delete | Delete existing experiments |
| firebaseabt.experiments.get | Retrieve details of an existing experiment |
| firebaseabt.experiments.list | Retrieve a list of existing experiments |
| firebaseabt.experiments.update | Update an existing experiment |
| firebaseabt.projectmetadata.get | Retrieve analytics metadata for setting up an experiment |
Firebase App Hosting permissions (beta)
| Permission name | Description |
|---|---|
| firebaseapphosting.backends.create | Create a new App Hosting backend for a Firebase project. |
| firebaseapphosting.backends.delete | Delete an existing App Hosting backend from a Firebase project. |
| firebaseapphosting.backends.get | Retrieve information about a specific App Hosting backend in a Firebase project. |
| firebaseapphosting.backends.list | List all available App Hosting backends in a Firebase project. |
| firebaseapphosting.backends.update | Modify the configuration or settings of an existing App Hosting backend. |
| firebaseapphosting.builds.create | Initiate a new build process for an App Hosting backend in a Firebase project. |
| firebaseapphosting.builds.delete | Delete existing builds in an App Hosting backend. |
| firebaseapphosting.builds.get | Retrieve details of an existing build in an App Hosting backend. |
| firebaseapphosting.builds.list | List all builds associated with an App Hosting backend in a Firebase project. |
| firebaseapphosting.builds.update | Modify the configuration of an existing non-finalized App Hosting build. |
| firebaseapphosting.domains.create | Create a new domain association for an App Hosting backend in a Firebase project. |
| firebaseapphosting.domains.delete | Remove a domain association from an App Hosting backend. |
| firebaseapphosting.domains.get | Retrieve information about a specific domain associated with an App Hosting site. |
| firebaseapphosting.domains.list | List all domains associated with App Hosting. |
| firebaseapphosting.domains.update | Modify settings or configurations for a domain linked to an App Hosting backend. |
| firebaseapphosting.rollouts.create | Initiate a new rollout to promote a existing build to the currently serving version for that App Hosting backend. |
| firebaseapphosting.rollouts.get | Retrieve information about a specific App Hosting rollout. |
| firebaseapphosting.rollouts.list | List all rollouts associated with an App Hosting backend. |
| firebaseapphosting.traffic.get | Retrieve the current traffic split and rollout policy for an App Hosting site. |
| firebaseapphosting.traffic.list | Identical in function to `firebaseapphosting.traffic.get`, with added capability to retrieve a list across backends for which you have this permission. |
| firebaseapphosting.traffic.update | Modify the current traffic split and rollout policy for an App Hosting backend. |
Cloud Firestore permissions
For a list and descriptions of Cloud Firestore permissions, refer to the Google Cloud documentation.
Cloud Storage permissions
For a list and descriptions of Cloud Storage permissions, refer to the Google Cloud documentation.
Firebase Security Rules (Cloud Firestore and Cloud Storage) permissions
| Permission name | Description |
|---|---|
| firebaserules.releases.create | Create releases |
| firebaserules.releases.delete | Delete releases |
| firebaserules.releases.get | Retrieve releases |
| firebaserules.releases.getExecutable | Retrieve the binary executable payloads for releases |
| firebaserules.releases.list | Retrieve a list of releases |
| firebaserules.releases.update | Update ruleset references for releases |
| firebaserules.rulesets.create | Create new rulesets |
| firebaserules.rulesets.delete | Delete existing ruleset |
| firebaserules.rulesets.get | Retrieve rulesets with source |
| firebaserules.rulesets.list | Find ruleset metadata (no source) |
| firebaserules.rulesets.test | Test sources for correctness |
Cloud Functions for Firebase permissions
For a list and descriptions of Cloud Functions permissions, refer to the IAM documentation.
Be aware that the deployment of functions requires a specific configuration of permissions that aren't included in the standard Firebase predefined roles. To deploy functions, use one of the following options:
Delegate the deployment of functions to a project Owner.
If you're deploying only non-HTTP functions, then a project Editor can deploy your functions.
Delegate deployment of functions to a project member who has the following two roles:
- Cloud Functions Admin role (
roles/cloudfunctions.admin) - Service Account User role (
roles/iam.serviceAccountUser)
A project Owner can assign these roles to a project member using the Google Cloud console or gcloud CLI. For detailed steps and security implications for this role configuration, refer to the IAM documentation.
- Cloud Functions Admin role (
Firebase messaging campaigns permissions
These permissions apply to campaigns for Firebase Cloud Messaging and Firebase In-App Messaging.
| Permission name | Description |
|---|---|
| firebasemessagingcampaigns.campaigns.create | Create new campaigns |
| firebasemessagingcampaigns.campaigns.delete | Delete existing campaigns |
| firebasemessagingcampaigns.campaigns.get | Retrieve details of existing campaigns |
| firebasemessagingcampaigns.campaigns.list | Retrieve a list of existing campaigns |
| firebasemessagingcampaigns.campaigns.update | Update existing campaigns |
| firebasemessagingcampaigns.campaigns.start | Start existing campaigns |
| firebasemessagingcampaigns.campaigns.stop | Update existing campaigns |
Firebase Cloud Messaging permissions
| Permission name | Description |
|---|---|
| cloudmessaging.messages.create | Send notifications and data messages through the FCM HTTP API and Admin SDK |
| Permission name | Description |
|---|---|
| firebasenotifications.messages.create | Create new messages in the Notifications composer |
| firebasenotifications.messages.delete | Delete existing messages in the Notifications composer |
| firebasenotifications.messages.get | Retrieve details of existing messages in the Notifications composer |
| firebasenotifications.messages.list | Retrieve a list of existing messages in the Notifications composer |
| firebasenotifications.messages.update | Update existing messages in the Notifications composer |
Firebase Crashlytics permissions
| Permission name | Description |
|---|---|
| firebasecrashlytics.config.get | Retrieve Crashlytics configuration settings |
| firebasecrashlytics.config.update | Update Crashlytics configuration settings |
| firebasecrashlytics.data.get | Retrieve metrics associated with Crashlytics issues and sessions |
| firebasecrashlytics.issues.get | Retrieve details about Crashlytics issues, including notes attached to issues |
| firebasecrashlytics.issues.list | Retrieve a list of Crashlytics issues |
| firebasecrashlytics.issues.update | Open, close, and mute existing Crashlytics issues Update notes attached to issues |
| firebasecrashlytics.sessions.get | Retrieve details about Crashlytics crash sessions |
| Permission name | Description |
|---|---|
| firebasecrash.issues.update | Update existing Crashlytics issues, create notes on issues, and set velocity alerts |
| firebasecrash.reports.get | Retrieve existing Crashlytics reports |
Firebase Dynamic Links permissions
| Permission name | Description |
|---|---|
| firebasedynamiclinks.domains.create | Create new Dynamic Links domains |
| firebasedynamiclinks.domains.delete | Delete existing Dynamic Links domains |
| firebasedynamiclinks.domains.get | Retrieve details of existing Dynamic Links domains |
| firebasedynamiclinks.domains.list | Retrieve a list of existing Dynamic Links domains |
| firebasedynamiclinks.domains.update | Update existing Dynamic Links domains |
| firebasedynamiclinks.links.create | Create new Dynamic Links |
| firebasedynamiclinks.links.get | Retrieve details of existing Dynamic Links |
| firebasedynamiclinks.links.list | Retrieve a list of existing Dynamic Links |
| firebasedynamiclinks.links.update | Update existing Dynamic Links |
| firebasedynamiclinks.stats.get | Retrieve Dynamic Links statistics |
| firebasedynamiclinks.destinations.list | Retrieve existing Dynamic Links destinations |
| firebasedynamiclinks.destinations.update | Update existing Dynamic Links destinations |
Firebase Extensions publishing permissions
| Permission name | Description |
|---|---|
| firebaseextensionspublisher.extensions.create | Upload new versions of an extension |
| firebaseextensionspublisher.extensions.delete | Delete or deprecate versions of an extension |
| firebaseextensionspublisher.extensions.get | Retrieve details about an extension version |
| firebaseextensionspublisher.extensions.list | List all extension versions uploaded by this publisher project |
Firebase Hosting permissions
| Permission name | Description |
|---|---|
| firebasehosting.sites.create | Create new Hosting resources for a Firebase project |
| firebasehosting.sites.delete | Delete existing Hosting resources for a Firebase project |
| firebasehosting.sites.get | Retrieve details of an existing Hosting resources for a Firebase project |
| firebasehosting.sites.list | Retrieve a list of Hosting resources for a Firebase project |
| firebasehosting.sites.update | Update existing Hosting resources for a Firebase project |
Firebase In-App Messaging permissions (beta)
| Permission name | Description |
|---|---|
| firebaseinappmessaging.campaigns.create | Create new campaigns |
| firebaseinappmessaging.campaigns.delete | Delete existing campaigns |
| firebaseinappmessaging.campaigns.get | Retrieve details of existing campaigns |
| firebaseinappmessaging.campaigns.list | Retrieve a list of existing campaigns |
| firebaseinappmessaging.campaigns.update | Update existing campaigns |
Firebase ML permissions (beta)
| Permission name | Description |
|---|---|
| firebaseml.models.create | Create new ML models |
| firebaseml.models.update | Update existing ML models |
| firebaseml.models.delete | Delete existing ML models |
| firebaseml.models.get | Retrieve details of existing ML models |
| firebaseml.models.list | Retrieve a list of existing ML models |
| firebaseml.modelversions.create | Create new model versions |
| firebaseml.modelversions.get | Retrieve details of existing model versions |
| firebaseml.modelversions.list | Retrieve a list of existing model versions |
| firebaseml.modelversions.update | Update existing model versions |
Firebase Performance Monitoring permissions
| Permission name | Description |
|---|---|
| firebaseperformance.config.create | Create new issue threshold configurations |
| firebaseperformance.config.delete | Delete existing issue threshold configurations |
| firebaseperformance.config.update | Modify alert and existing issue threshold configurations |
| firebaseperformance.data.get | View all performance data and issue threshold values |
Firebase Realtime Database permissions
| Permission name | Description |
|---|---|
| firebasedatabase.instances.create | Create new database instances |
| firebasedatabase.instances.get | Retrieve the metadata of existing database instances
Read-only access to the data in an existing database instance |
| firebasedatabase.instances.list | Retrieve a list of existing database instances |
| firebasedatabase.instances.update | Full read and write access to the data in existing database instances
Enable and disable database instances Retrieve and modify security rules for existing database instances |
| firebasedatabase.instances.disable | Disable active database instances
Existing data is kept but is not accessible for reads/writes. |
| firebasedatabase.instances.reenable | Re-enable disabled database instances
Existing data is again accessible for reads/writes. |
| firebasedatabase.instances.delete | Delete disabled database instances
Deleted database names cannot be reused. The data in a deleted database instance is permanently deleted after 20 days. |
| firebasedatabase.instances.undelete | Undelete a deleted database instance before its data is permanently
deleted
The data in a deleted database instance is permanently deleted 20 days after the instance is deleted. |
Firebase Remote Config permissions
| Permission name | Description |
|---|---|
| cloudconfig.configs.get | Retrieve Remote Config data |
| cloudconfig.configs.update | Update Remote Config data |
Firebase Test Lab permissions
Test Lab requires access to Cloud Storage buckets, so it requires a specific configuration of permissions that aren't all included in the standard Firebase predefined roles. To grant access to Test Lab, use one of the following options:
For tests started from Firebase console
Test your app in a dedicated separate Firebase project.
Add members who need Test Lab access, then assign them legacy project roles using the Firebase console.
- To allow a member to run tests with Test Lab, assign project Editor or above.
- To allow a member to view test results in Test Lab, assign project Viewer or above.
For tests started from the gcloud CLI, the Testing API, or Gradle Managed Devices while using your own Cloud Storage bucket
Assign a pair of predefined roles (which together grant the required set of permissions) using the Google Cloud console.
To allow a member to run tests with Test Lab, assign both:
- Firebase Test Lab Admin (
roles/cloudtestservice.testAdmin) - Firebase Analytics Viewer (
roles/firebase.analyticsViewer)
- Firebase Test Lab Admin (
To allow a member to view test results in Test Lab, assign both:
- Firebase Test Lab Viewer (
roles/cloudtestservice.testViewer) - Firebase Analytics Viewer (
roles/firebase.analyticsViewer)
- Firebase Test Lab Viewer (
| Permission name | Description |
|---|---|
| cloudtestservice.environmentcatalog.get | Retrieve the catalog of supported test environments for a project |
| cloudtestservice.matrices.create | Request to run a matrix of tests according to the given specifications |
| cloudtestservice.matrices.get | Retrieve the status of a test matrix |
| cloudtestservice.matrices.update | Update an unfinished test matrix |
| cloudtoolresults.executions.list | Retrieve a list of Executions for a History |
| cloudtoolresults.executions.get | Retrieve an existing Execution |
| cloudtoolresults.executions.create | Create a new Execution |
| cloudtoolresults.executions.update | Update an existing Execution |
| cloudtoolresults.histories.list | Retrieve a list of Histories |
| cloudtoolresults.histories.get | Retrieve an existing History |
| cloudtoolresults.histories.create | Create a new History |
| cloudtoolresults.settings.create | Create new tool results settings |
| cloudtoolresults.settings.get | Retrieve existing tool results settings |
| cloudtoolresults.settings.update | Update tool results settings |
| cloudtoolresults.steps.list | Retrieve a list of Steps for an Execution |
| cloudtoolresults.steps.get | Retrieve an existing Step |
| cloudtoolresults.steps.create | Create a new Step |
| cloudtoolresults.steps.update | Update an existing Step |
Integrations with external services permissions
| Permission name | Description |
|---|---|
| firebaseextensions.configs.create | Create new extension configurations for external services
(Firebase console > Project Settings > Integrations) |
| firebaseextensions.configs.delete | Delete existing extension configurations for external services
(Firebase console > Project Settings > Integrations) |
| firebaseextensions.configs.list | Retrieve a list of extension configurations for external services
(Firebase console > Project Settings > Integrations) |
| firebaseextensions.configs.update | Update existing extension configurations for external services
(Firebase console > Project Settings > Integrations) |