> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cloudthinker.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Firebase

> Connect Firebase to CloudThinker for project and app inventory, SDK config lookup, and Firestore/Storage security-rule audits

Connect your Firebase project to enable CloudThinker agents to inventory projects and apps, read SDK configuration, audit Firestore, Storage, and Realtime Database security rules, review deploy state, search Firebase documentation, and run approval-gated controls like creating apps or deploying.

Firebase authenticates with a **Google Cloud service-account key** (a JSON file). The service account's **IAM roles** determine what the agent can reach — grant read-only Firebase roles for audits and broader roles only if you need writes or deploys.

***

## Prerequisites

* A **Firebase project** you want CloudThinker to inspect.
* A **service-account key (JSON)** for that project.
* Permission to create service-account keys and assign IAM roles in the project's Google Cloud.

<Info>
  The service-account JSON is a full credential. Scope its IAM roles to least privilege — a viewer-level Firebase role is enough for inventory and rule audits.
</Info>

***

## Setup

<Steps>
  <Step title="Generate a service-account key">
    In the [Firebase Console](https://console.firebase.google.com), pick your project, then click the **Settings** (gear) icon in the sidebar to open **Project settings**. Open the **Service accounts** tab in the top bar, click **Generate new private key**, and confirm with **Generate key** to download the JSON key file.
  </Step>

  <Step title="Grant IAM roles (optional, for least privilege)">
    In **Google Cloud Console → IAM**, give the service account only the roles CloudThinker needs — a **Viewer** / **Firebase Viewer** role for read-only audits, or a Firebase admin role if you want approval-gated writes and deploys.
  </Step>

  <Step title="Add the connection in CloudThinker">
    Navigate to **Connections → Firebase** and add the credential:

    * **Service Account Key (JSON)**: drag the downloaded `.json` key file onto the upload area — or click it to browse and pick the file

    Click **Connect**. CloudThinker reads the key, sets the active project from it, and shows a **Connected** status.
  </Step>
</Steps>

<Warning>
  Treat the downloaded JSON like a password. Store it in a secret manager and delete the local copy after uploading it to CloudThinker.
</Warning>

***

## Connection details

| Field                             | Description                                                                                                                       | Example                                                      |
| --------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------ |
| **GOOGLE\_SERVICE\_ACCOUNT\_KEY** | Full Google Cloud service-account key JSON. CloudThinker reads its `project_id` to set the active Firebase project automatically. | `{ "type": "service_account", "project_id": "my-app", ... }` |

<Note>
  CloudThinker resolves the active project from the key's `project_id`, so no separate project ID or config file is required.
</Note>

***

## Required permissions

Read operations (project, app, SDK config, and security-rule inspection) work with a **viewer-level** Firebase/GCP role. Control operations — creating projects or apps, initializing features, switching the active project, and deploying — additionally require a role that permits them **and** explicit [approval](/guide/approval) in CloudThinker.

<Tip>
  Follow least privilege: grant a read-only Firebase role for audits and reserve write-capable roles for when you actually need them. Keep control operations approval-gated rather than removing the guardrail.
</Tip>

***

## Agent capabilities

Once connected, agents have read access to your Firebase project, apps, and rules.

| Capability                 | Description                                                                                                                     |
| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------- |
| **Projects & Apps**        | List accessible projects, inspect the active project, and list iOS, Android, and Web apps                                       |
| **SDK Configuration**      | Read a platform or app's Firebase SDK config                                                                                    |
| **Security Rules**         | Read Firestore, Storage, and Realtime Database rules to audit access                                                            |
| **Deploy State**           | Review deployment status                                                                                                        |
| **Firebase Docs**          | Search official Firebase and Google developer documentation                                                                     |
| **Project & App Controls** | Create projects, apps, and Android SHA keys, initialize features, switch the active project, and deploy — **requires approval** |

<Info>
  Create, initialize, deploy, and project-switch actions are approval-gated. CloudThinker requests confirmation before running them; read-only operations run without approval.
</Info>

### Verify the connection

```text theme={null}
@alex show my Firebase environment and list the projects I can access
```

### Example prompts

```text theme={null}
@alex review the current Firestore and Storage security rules, flag any that allow unauthenticated writes, and #recommend tighter definitions
@alex list all Firebase projects and the apps registered in the active project and #report as a table
@alex show the Firebase SDK config for my web app
```

<Note>
  If multiple projects are accessible and none is active, name the project in your prompt so the agent scopes to the right one.
</Note>

***

## Troubleshooting

<Accordion title="Authentication failed / credentials unavailable">
  The service-account JSON is invalid, incomplete, or was pasted with missing characters. Generate a fresh private key in Firebase Console and reconnect.
</Accordion>

<Accordion title="Agent says no active project is selected">
  CloudThinker sets the active project from the key's `project_id`. If the key has no `project_id` or several projects are accessible, the agent lists them and asks which to use — name the project to continue.
</Accordion>

<Accordion title="Permission denied on a project, rules, or deploy">
  The service account lacks the Firebase/GCP IAM role for that product. Grant the appropriate role in Google Cloud IAM and reconnect.
</Accordion>

<Accordion title="A control action did not run">
  Create, initialize, and deploy require both an IAM role that permits the action and explicit approval in CloudThinker. Approve the action when prompted, and confirm the service account's roles allow it.
</Accordion>

***

## Security

* **Least privilege** — grant only the permissions the agents need for your use case; start read-only and widen later.
* **Read-only by default** — use read-only credentials unless you want agents to make changes through this connection.
* **Rotate credentials** — rotate keys and tokens on your normal schedule; CloudThinker picks up the new value when you update the connection.
* **Revoke on offboarding** — remove the credential at the provider when you delete a connection or a teammate leaves.

- **Approval for controls** — keep create, initialize, and deploy actions approval-gated rather than removing the guardrail.
- **Protect the key** — the service-account JSON is a full credential; never commit it to source control or share it in plain text.

***

## Related

<CardGroup cols={2}>
  <Card title="Google Cloud Connection" icon="https://mintcdn.com/cloudthinker/aLd-ttc-SCW-aFky/images/icons/gcp.svg?fit=max&auto=format&n=aLd-ttc-SCW-aFky&q=85&s=2cc7040a8e4cd401b1c388f8b0cd6fe3" href="/guide/connections/gcp" width="24" height="24" data-path="images/icons/gcp.svg">
    Connect Google Cloud Platform
  </Card>

  <Card title="Approval" icon="shield-check" href="/guide/approval">
    How approval-gated actions work
  </Card>
</CardGroup>
