google cloud platform – What permissions do I need to send messages via FCM?

I'm trying to set up a service account for FCM with the help of Terraform. I've created a custom role based on permissions in the IAM Firebase Permissions reference. I can not make it work.

Here is my custom role (including authentication permissions):

resource "google_project_iam_custom_role" "firebase_access" {
project = "$ {data.google_project.firebase_project.id}"

# https://firebase.google.com/docs/projects/iam/permissions
permissions = [
    # Auth
    "firebaseauth.configs.get",
    "firebaseauth.configs.update",
    "firebaseauth.configs.create",
    "firebaseauth.users.create",
    "firebaseauth.users.createSession",
    "firebaseauth.users.delete",
    "firebaseauth.users.get",
    "firebaseauth.users.sendEmail",
    "firebaseauth.users.update",

    # Cloud Messaging
    "firebasenotifications.messages.create",
    "firebasenotifications.messages.delete",
    "firebasenotifications.messages.get",
    "firebasenotifications.messages.list",
    "firebasenotifications.messages.update",

    # Firebase required
    "firebaseanalytics.resources.googleAnalyticsReadAndAnalyze",
    "resourcemanager.projects.get",
    "resourcemanager.projects.getIamPolicy",
    # "resourcemanager.projects.list", Not required
    "servicemanagement.projectSettings.get",
    "serviceusage.apiKeys.get",
    "serviceusage.apiKeys.getProjectForKey",
    "serviceusage.apiKeys.list",
    "serviceusage.operations.get",
    "serviceusage.operations.list",
    "serviceusage.quotas.get",
    "serviceusage.services.get",
    "serviceusage.services.list",

  ]
  role_id = "[redacted]"# Can not have hyphens
title = "fire base [redacted] Role"
description = "Provides the minimum permissions necessary for the [redacted] API to use Firebase "
}

I receive the error below:

Error: An error occurred while trying to authenticate with the FCM.
waiters. Make sure that the credentials used to authenticate this SDK have
the appropriate permissions. See
https://firebase.google.com/docs/admin/setup for configuration instructions.

It's absolutely miserable. The error message is not useful at all. By checking a service account created via Firebase, I see that there is an additional role, Firebase Admin SDK Administrator Service Agent. The role does not appear anywhere in the documentation. I had to check the HTTP request when adding the role to understand its real name (roles / firebase.sdkAdminServiceAgent). At first I thought adding this role corrected my problem, but it was wrong. I had also added the Editor role, and the GCP IAM takes a long time to update (-_-).

For now, I'm just going to add the Editor role, but I would much rather constrain authorizations as much as possible.

What are the minimum permissions required to send FCM messages? The documentation is not useful, as far as I know.