Prerequisites
- A Firebase project you want CloudThinker to inspect.
- A service-account key (JSON) for that project.
- Permission to create service-account keys and assign IAM roles in the projectโs Google Cloud.
The service-account JSON is a full credential. Scope its IAM roles to least privilege โ a viewer-level Firebase role is enough for inventory and rule audits.
Setup
Generate a service-account key
In the Firebase Console, pick your project, then click the Settings (gear) icon in the sidebar to open Project settings. Open the Service accounts tab in the top bar, click Generate new private key, and confirm with Generate key to download the JSON key file.
Grant IAM roles (optional, for least privilege)
In Google Cloud Console โ IAM, give the service account only the roles CloudThinker needs โ a Viewer / Firebase Viewer role for read-only audits, or a Firebase admin role if you want approval-gated writes and deploys.
Add the connection in CloudThinker
Navigate to Connections โ Firebase and add the credential:
- Service Account Key (JSON): drag the downloaded
.jsonkey file onto the upload area โ or click it to browse and pick the file
Connection details
| Field | Description | Example |
|---|---|---|
| GOOGLE_SERVICE_ACCOUNT_KEY | Full Google Cloud service-account key JSON. CloudThinker reads its project_id to set the active Firebase project automatically. | { "type": "service_account", "project_id": "my-app", ... } |
CloudThinker resolves the active project from the keyโs
project_id, so no separate project ID or config file is required.Required permissions
Read operations (project, app, SDK config, and security-rule inspection) work with a viewer-level Firebase/GCP role. Control operations โ creating projects or apps, initializing features, switching the active project, and deploying โ additionally require a role that permits them and explicit approval in CloudThinker.Agent capabilities
Once connected, agents have read access to your Firebase project, apps, and rules.| Capability | Description |
|---|---|
| Projects & Apps | List accessible projects, inspect the active project, and list iOS, Android, and Web apps |
| SDK Configuration | Read a platform or appโs Firebase SDK config |
| Security Rules | Read Firestore, Storage, and Realtime Database rules to audit access |
| Deploy State | Review deployment status |
| Firebase Docs | Search official Firebase and Google developer documentation |
| Project & App Controls | Create projects, apps, and Android SHA keys, initialize features, switch the active project, and deploy โ requires approval |
Create, initialize, deploy, and project-switch actions are approval-gated. CloudThinker requests confirmation before running them; read-only operations run without approval.
Verify the connection
Example prompts
If multiple projects are accessible and none is active, name the project in your prompt so the agent scopes to the right one.
Troubleshooting
Authentication failed / credentials unavailable
Authentication failed / credentials unavailable
Agent says no active project is selected
Agent says no active project is selected
CloudThinker sets the active project from the keyโs
project_id. If the key has no project_id or several projects are accessible, the agent lists them and asks which to use โ name the project to continue.Permission denied on a project, rules, or deploy
Permission denied on a project, rules, or deploy
The service account lacks the Firebase/GCP IAM role for that product. Grant the appropriate role in Google Cloud IAM and reconnect.
A control action did not run
A control action did not run
Create, initialize, and deploy require both an IAM role that permits the action and explicit approval in CloudThinker. Approve the action when prompted, and confirm the service accountโs roles allow it.
Security
- Least privilege โ grant only the permissions the agents need for your use case; start read-only and widen later.
- Read-only by default โ use read-only credentials unless you want agents to make changes through this connection.
- Rotate credentials โ rotate keys and tokens on your normal schedule; CloudThinker picks up the new value when you update the connection.
- Revoke on offboarding โ remove the credential at the provider when you delete a connection or a teammate leaves.
- Approval for controls โ keep create, initialize, and deploy actions approval-gated rather than removing the guardrail.
- Protect the key โ the service-account JSON is a full credential; never commit it to source control or share it in plain text.
Related
Google Cloud Connection
Connect Google Cloud Platform
Approval
How approval-gated actions work