SeedStart Docs

Appearance

Secrets and Service Account Configuration

Service Account File Location

The Firebase service account JSON file is stored locally at:

Location: ../../_secrets/seed-start-7255a-firebase-adminsdk-eoxeg-d9fb24ee1e.json

Absolute path: /Users/serge/dev/_secrets/seed-start-7255a-firebase-adminsdk-eoxeg-d9fb24ee1e.json

Project ID: seed-start-7255a

Local Development

Setting Up Permissions

First, grant the service account the necessary permissions:

bash
cd seedsite
./scripts/setup-service-account-permissions.sh

This script will automatically:

  • Extract the service account email from the JSON file
  • Authenticate with gcloud
  • Grant all required Firebase permissions

Deploying Locally

For local deployment, use the service account file directly:

bash
cd seedsite

# Option 1: Set environment variable
export GOOGLE_APPLICATION_CREDENTIALS="../../_secrets/seed-start-7255a-firebase-adminsdk-eoxeg-d9fb24ee1e.json"
firebase deploy --only hosting:dev

# Option 2: Use gcloud auth
gcloud auth activate-service-account \
  --key-file="../../_secrets/seed-start-7255a-firebase-adminsdk-eoxeg-d9fb24ee1e.json"
firebase deploy --only hosting:dev

# Option 3: Use the deployment script
./scripts/deploy-local.sh dev

CI/CD (GitHub Actions)

⚠️ GitHub Actions cannot access local files outside the repository.

The workflows use GitHub secrets that contain the JSON content:

  • Development: DEV_FIREBASE_SERVICE_ACCOUNT
  • Production: PROD_VITE_PUBLIC_SERVICE_ACCOUNT

Updating GitHub Secrets from Local File

To sync the GitHub secret with the local file:

bash
# Option 1: Using GitHub CLI
gh secret set DEV_FIREBASE_SERVICE_ACCOUNT \
  < ../../_secrets/seed-start-7255a-firebase-adminsdk-eoxeg-d9fb24ee1e.json

# Option 2: Manual copy
# 1. Read the file
cat ../../_secrets/seed-start-7255a-firebase-adminsdk-eoxeg-d9fb24ee1e.json

# 2. Copy the entire JSON content
# 3. Go to GitHub: Settings > Secrets and variables > Actions
# 4. Create/update secret: DEV_FIREBASE_SERVICE_ACCOUNT
# 5. Paste the JSON content

Service Account Details

  • File Name: seed-start-7255a-firebase-adminsdk-eoxeg-d9fb24ee1e.json
  • Location: ../../_secrets/ (relative to seedsite directory)
  • Purpose: Firebase deployment (hosting, Firestore rules)
  • Project: seed-start-7255a

Required Permissions

The service account needs these IAM roles:

  • roles/firebasehosting.admin - For hosting deployment ✅
  • roles/firebaserules.admin - For Firestore rules deployment (optional)

See SERVICE_ACCOUNT_PERMISSIONS.md for detailed permission setup.

Security Notes

⚠️ Important:

  • Never commit the service account JSON file to git
  • The _secrets/ directory should be in .gitignore
  • Use GitHub secrets for CI/CD (workflows cannot access local files)
  • Rotate keys periodically
  • Limit service account permissions to minimum required

Directory Structure 

/Users/serge/dev/
├── _secrets/                                    # Secrets directory (outside repos)
│   └── seed-start-7255a-firebase-adminsdk-eoxeg-d9fb24ee1e.json
├── seedsite/                                    # Main app
│   ├── .github/workflows/
│   │   ├── deploy-dev.yml                      # Uses GitHub secrets
│   │   └── deploy-prod.yml                     # Uses GitHub secrets
│   └── docs/
│       └── SECRETS.md                          # This file
├── admin/                                       # Admin portal
└── srv/                                         # Functions

Internal docs — access restricted via Cloudflare Zero Trust.