Firebase is back at Google I/O on May 14! Register now.

IAM permissions reference guide

This document provides reference information about configuring Test Lab IAM permissions and roles. If you want to configure more granular roles, Test Lab provides permissions for both executing tests and streaming devices using Android Studio. Test execution has extra requirements to properly configure permissions and roles for IAM and the streaming devices.

Test Execution

To properly configure Test Lab so that you can execute and read the results of tests, you have to configure access to Cloud Storage buckets. This requires a specific configuration of permissions that aren't all included in the standard Firebase predefined roles. To grant access to Test Lab, use one of the following options.

Tests through the Firebase console

For tests started from Firebase console or through the Firebase Test Lab Device Matrix in Android Studio:

Test your app in a dedicated separate Firebase project.
Add users that need Test Lab access and assign them legacy project roles using the Firebase console.
(Optional) Assign the Editor project role to allow a user to run tests with Test Lab.
(Optional) Assign the Viewer project role to allow a user to view test results with Test Lab.

Tests through gcloud CLI

For tests started from the gcloud CLI, the Testing API, or Gradle Managed Devices while using your own Cloud Storage bucket:

Assign a pair of predefined roles, which grants the required set of permissions together, using the Google Cloud console.
To allow a user to run tests with Test Lab, assign both: Firebase Test Lab Admin (roles/cloudtestservice.testAdmin) and Firebase Analytics Viewer (roles/firebase.analyticsViewer)
To allow a user to view test results in Test Lab, assign both: Firebase Test Lab Viewer (roles/cloudtestservice.testViewer) and Firebase Analytics Viewer (roles/firebase.analyticsViewer)

Enable permissions in Device Streaming

Device Streaming is a separate feature built on top of Test Lab devices. It provides you with direct access to Test Lab devices. Firebase Editors and Admins can use Device Streaming without any additional roles, however, you can also provide more granular roles if necessary.

To allow a user to use device streaming, assign a predefined role which grants the required set of permissions together, using the Google Cloud console . The role to assign is Firebase Test Lab Direct Access Admin (roles/cloudtestservice.directAccessAdmin).

For more information on Device Streaming in Android Studio, see Device Streaming in Android Studio.