Minimal set of permissions to give for a read-only access to Firebase Remote Config?

Question

We have set up the Remote Config for our app at Google Firebase, which is accessed via a Service Account that is meant to have a Role with minimal requirements. Would be perfect to have permissions for read-only access to the Remote Config only.

However we cannot come up with the working set. Firebase Viewer role works fine, but there are 107 permissions attached to it. Obviously we don't need that many? For example I successfully removed all prefixed with automl. (20+ or something) But as soon as I go deeper for seemingly unrelated ones, like: firebasedynamiclinks.domains.list or logging.logEntries.list or cloudtestservice.environmentcatalog.get it blows up and remoteConfig endpoint for the project starts to return http error 500 (internal error). Which in my interpretation signals about some conflict in the remaining set of permissions.

Are there some determined permissions for reading Remote Config only?

Answer 1

Firebase IAM Permissions lists the roles required for each product.

The only Remote Config permissions are cloudconfig.configs.get and cloudconfig.configs.update

Since you'd like your service account to have read-only access, the only permissions you should need are cloudconfig.configs.get and the permissions required for all roles (i.e., firebaseanalytics.resources.googleAnalyticsReadAndAnalyze, resourcemanager.*, servicemanagement.* and serviceusage.*).