10

We are using FCM to send mobile notifications to our app. This is working just fine, however the service account I have to use to send messages has de 'Project Editor' role.

Since we both develop the app and the service that sends the messages that is not a huge issue for us, however we also offer an api implementation to third party app builders.

In that case we would like to be able to create a service account with a more restricted rule, so we can only send messages. This way the third party can provide us a service account authentication json, where they can be sure we won't be able to see or do anything other than publishing FCM messages.

Does anyone know what permissions / roles this service account user should have.

The google documentation on this point is useless, since it says it should be project editor or project owner. And doesn't provide the specific permission.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
Paul Jacobse
  • 424
  • 1
  • 5
  • 14
  • more on how https://stackoverflow.com/questions/59756793/how-do-i-grant-a-specific-permission-to-a-cloud-iam-service-account-using-the-gc – giorgio79 Mar 05 '23 at 18:09

2 Answers2

9

I think this is what you need. It worked for us.

cloudmessaging.messages.create
firebasenotifications.messages.create
firebasenotifications.messages.delete
firebasenotifications.messages.get
firebasenotifications.messages.list
firebasenotifications.messages.update

cloudmessaging.messages.create this one was critical.

Yury Lvov
  • 93
  • 1
  • 6
4

For me, for push notifications, the only one needed was cloudmessaging.messages.create.

That can be also seen as a result of the new Cloud IAM role recommendations service.

https://cloud.google.com/iam/docs/role-recommendations

And yeah, it's shame that Google didn't provide documentation on this.

SFin
  • 149
  • 13