4

I am trying to give permissions to a third party to make deployments to Firebase Hosting on a project I have set up. I explored the IAM permissions available in the GCP console, and the only half-related role seems to be the Firebase Rules System, however that didn't allow the user to deploy to hosting. While Project Editor would probably work, I don't want to give them that much authority, as they could launch other Firebase products at my expense.

What IAM roles should I add to allow a user to deploy to Firebase Hosting?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Chris
  • 2,174
  • 28
  • 37

1 Answers1

4

Update (2018-11-12): Firebase seems to have added more granular permission settings with their October 28, 2018 release:

The Firebase console now offers predefined Firebase roles. These new roles enable more granular access than the primitive Owner/Editor/Viewer roles. To edit member access for your project, visit the Firebase console Users and permissions page. For more information on roles, see Manage project access with Firebase IAM.

Digging deeper, I found these IAM entries related to hosting: https://firebase.google.com/docs/projects/iam/permissions#hosting

Original answer:

I asked Firebase support and the following was their reply:

To be able to deploy hosting app your developer must be either an Owner or Editor. So in your case, lowest privilege that you can give is Editor because currently role-based access restriction for Static Hosting is unavailable. We're aware that many developers, such as yourself, would like more extensive and granular control for permissions. We're exploring potential solutions, but I can't share any details or timelines at this time.

Keep an eye out on our release notes for any further updates.

Chris
  • 2,174
  • 28
  • 37
  • Would you please give an update on this question if this changes? In my opinion it would also be great to have a dedicated role for deployments, as we are having the same situation where a 3rd party should be able to deploy an app, but not have access to anything else as the interfaces are described and the rest of the customers data/ gcp-project should not be visible or even changeable – Malte Nov 09 '18 at 10:51
  • @user2122552 Yeah, it seems it's now supported, although I haven't checked the functionality myself (I migrated away from Firebase after a hosting outage took my company's site down for hours). The answer has been updated with the new info. – Chris Nov 12 '18 at 03:26