IAM permissions reference guide

This document provides reference information about configuringTest Lab IAMpermissions and roles. If you want to configure more granular roles,Test Labprovides permissions for both executing tests and streaming devices usingAndroid Studio. Test execution has extra requirements to properly configurepermissions and roles for IAM and the streaming devices.

Test Execution

To properly configureTest Lab so that you can execute and read the resultsof tests, you have to configure access toCloud Storage buckets. Thisrequires a specific configuration of permissions that aren't all included in thestandardFirebase predefined roles. Togrant access toTest Lab, use one of the following options.

Tests through theFirebase console

For tests started fromFirebase console or through theFirebase Test Lab Device Matrix in Android Studio:

  1. Test your app in a dedicated separate Firebase project.
  2. Add users that needTest Lab access and assign them legacy project rolesusing theFirebase console.
  3. (Optional) Assign theEditor project role to allow a user to run testswithTest Lab.
  4. (Optional) Assign theViewer project role to allow a user to view testresults withTest Lab.

Tests through gcloud CLI

Tests started from thegcloud CLI,theTesting API, orGradle ManagedDevices use aCloud Storage bucket created by Firebase by default. This requires theprincipal executing the test to have the "roles/editor" role for your firebaseproject.

If you cannot grant that role, or you want to retain detailed test results forlonger than 90 days, you can send these test results to aCloud Storagebucket that you own using the--results-bucket gcloud command-line option.

When using your ownCloud Storage bucket:

  1. Assign a pair of predefined roles, which grants the required set ofpermissions together, using theGoogle Cloud console.
  2. To allow a user to run tests withTest Lab, assign both: Firebase TestLab Admin (roles/cloudtestservice.testAdmin) and Firebase AnalyticsViewer (roles/firebase.analyticsViewer)
  3. To allow a user to view test results inTest Lab, assign both: FirebaseTest Lab Viewer (roles/cloudtestservice.testViewer) and FirebaseAnalytics Viewer (roles/firebase.analyticsViewer)
Caution: Users assigned these predefined roles can accessallCloud Storage buckets associated with the Firebase project, potentially including customer data.

Enable permissions in Device Streaming

Device Streaming is a separate feature built on top ofTest Lab devices. Itprovides you with direct access toTest Lab devices. Firebase Editors andAdmins can use Device Streaming without any additional roles, however, you canalso provide more granular roles if necessary.

To allow a user to use device streaming, assign a predefined role which grantsthe required set of permissions together, using theGoogle Cloud console. The role to assign is Firebase Test Lab Direct AccessAdmin (roles/cloudtestservice.directAccessAdmin).

For more information on Device Streaming in Android Studio, seeDevice Streaming in Android Studio.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.