Skip to main content
Connect your Firebase project to enable CloudThinker agents to inventory projects and apps, read SDK configuration, audit Firestore, Storage, and Realtime Database security rules, review deploy state, search Firebase documentation, and run approval-gated controls like creating apps or deploying. Firebase authenticates with a Google Cloud service-account key (a JSON file). The service accountโ€™s IAM roles determine what the agent can reach โ€” grant read-only Firebase roles for audits and broader roles only if you need writes or deploys.

Prerequisites

  • A Firebase project you want CloudThinker to inspect.
  • A service-account key (JSON) for that project.
  • Permission to create service-account keys and assign IAM roles in the projectโ€™s Google Cloud.
The service-account JSON is a full credential. Scope its IAM roles to least privilege โ€” a viewer-level Firebase role is enough for inventory and rule audits.

Setup

1

Generate a service-account key

In the Firebase Console, pick your project, then click the Settings (gear) icon in the sidebar to open Project settings. Open the Service accounts tab in the top bar, click Generate new private key, and confirm with Generate key to download the JSON key file.
2

Grant IAM roles (optional, for least privilege)

In Google Cloud Console โ†’ IAM, give the service account only the roles CloudThinker needs โ€” a Viewer / Firebase Viewer role for read-only audits, or a Firebase admin role if you want approval-gated writes and deploys.
3

Add the connection in CloudThinker

Navigate to Connections โ†’ Firebase and add the credential:
  • Service Account Key (JSON): drag the downloaded .json key file onto the upload area โ€” or click it to browse and pick the file
Click Connect. CloudThinker reads the key, sets the active project from it, and shows a Connected status.
Treat the downloaded JSON like a password. Store it in a secret manager and delete the local copy after uploading it to CloudThinker.

Connection details

FieldDescriptionExample
GOOGLE_SERVICE_ACCOUNT_KEYFull Google Cloud service-account key JSON. CloudThinker reads its project_id to set the active Firebase project automatically.{ "type": "service_account", "project_id": "my-app", ... }
CloudThinker resolves the active project from the keyโ€™s project_id, so no separate project ID or config file is required.

Required permissions

Read operations (project, app, SDK config, and security-rule inspection) work with a viewer-level Firebase/GCP role. Control operations โ€” creating projects or apps, initializing features, switching the active project, and deploying โ€” additionally require a role that permits them and explicit approval in CloudThinker.
Follow least privilege: grant a read-only Firebase role for audits and reserve write-capable roles for when you actually need them. Keep control operations approval-gated rather than removing the guardrail.

Agent capabilities

Once connected, agents have read access to your Firebase project, apps, and rules.
CapabilityDescription
Projects & AppsList accessible projects, inspect the active project, and list iOS, Android, and Web apps
SDK ConfigurationRead a platform or appโ€™s Firebase SDK config
Security RulesRead Firestore, Storage, and Realtime Database rules to audit access
Deploy StateReview deployment status
Firebase DocsSearch official Firebase and Google developer documentation
Project & App ControlsCreate projects, apps, and Android SHA keys, initialize features, switch the active project, and deploy โ€” requires approval
Create, initialize, deploy, and project-switch actions are approval-gated. CloudThinker requests confirmation before running them; read-only operations run without approval.

Verify the connection

@alex show my Firebase environment and list the projects I can access

Example prompts

@alex review the current Firestore and Storage security rules, flag any that allow unauthenticated writes, and #recommend tighter definitions
@alex list all Firebase projects and the apps registered in the active project and #report as a table
@alex show the Firebase SDK config for my web app
If multiple projects are accessible and none is active, name the project in your prompt so the agent scopes to the right one.

Troubleshooting

The service-account JSON is invalid, incomplete, or was pasted with missing characters. Generate a fresh private key in Firebase Console and reconnect.
CloudThinker sets the active project from the keyโ€™s project_id. If the key has no project_id or several projects are accessible, the agent lists them and asks which to use โ€” name the project to continue.
The service account lacks the Firebase/GCP IAM role for that product. Grant the appropriate role in Google Cloud IAM and reconnect.
Create, initialize, and deploy require both an IAM role that permits the action and explicit approval in CloudThinker. Approve the action when prompted, and confirm the service accountโ€™s roles allow it.

Security

  • Least privilege โ€” grant only the permissions the agents need for your use case; start read-only and widen later.
  • Read-only by default โ€” use read-only credentials unless you want agents to make changes through this connection.
  • Rotate credentials โ€” rotate keys and tokens on your normal schedule; CloudThinker picks up the new value when you update the connection.
  • Revoke on offboarding โ€” remove the credential at the provider when you delete a connection or a teammate leaves.
  • Approval for controls โ€” keep create, initialize, and deploy actions approval-gated rather than removing the guardrail.
  • Protect the key โ€” the service-account JSON is a full credential; never commit it to source control or share it in plain text.

https://mintcdn.com/cloudthinker/aLd-ttc-SCW-aFky/images/icons/gcp.svg?fit=max&auto=format&n=aLd-ttc-SCW-aFky&q=85&s=2cc7040a8e4cd401b1c388f8b0cd6fe3

Google Cloud Connection

Connect Google Cloud Platform

Approval

How approval-gated actions work