Manage project access with Firebase IAM

Google Cloud Platform (GCP) offers Identity and Access Management (IAM), which lets you grant granular access to specific GCP resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

For a detailed description of GCP IAM, read the IAM documentation.

Overview of Firebase IAM

Firebase offers additional IAM options that are specific for Firebase projects and your members.

When an authenticated member requests an action in Firebase, IAM makes an authorization decision about whether the member has permission to perform the requested operation on the resource. Whether the member is allowed to perform the request depends on the member's assigned role. Each role is a collection of permissions, and when you assign a role to a member, you are granting that member all the permissions for that role.

Members

Using Firebase IAM, you assign roles (and their inherent permissions) to your members. Members can be of the following types:

Google account
Service account
Google group

Roles

A role is a collection of permissions.

You do not assign a specific permission to a member directly; instead you assign a role to the member. When you assign a role to a member, you grant that member all the permissions that the role contains.

Firebase IAM supports the following types of roles:

Primitive roles: Fundamental Owner, Editor, and Viewer roles.
Predefined roles: Curated Firebase-specific roles that enable more granular access control than the primitive roles.
- Firebase offers a core set of predefined roles that are structured around Google Analytics for Firebase and the Firebase Develop, Quality, and Grow products.
- Firebase also offers more generalized Firebase predefined roles which grant full or read-only access to all Firebase services.
Custom roles: Fully customized roles that you create to tailor a set of permissions that meet the specific requirements of your organization.

Role change latency

If you change a member's role assignment, it might take up to 5 minutes for the change to take effect.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 3.0 License, and code samples are licensed under the Apache 2.0 License. For details, see our Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

上次更新日期：十二月 17, 2018