In order we can deploy a pipeline onto your Firebase or GCP project, you must grant us sufficient permissions to do so. The best and most secure way for you to grant us the permissions is to create a service account in your Google Cloud Platform console. Service account is a special type of Google account representing a non-human user that needs to access you project.
Each pipeline has its own minimal set of permissions it needs.
Choose a pipeline you want to deploy
Log in into your GCP console
Go to "Service accounts" section of IAM
Click on "CREATE SERVICE ACCOUNT" at the top of the page
Set the account's name and description and click on "CREATE"
Select the role according to pipeline's permissions and click "NEXT"
Click on "CREATE KEY"
Leave the option "JSON" selected and hit "CREATE"
Even though you're interacting only with Firebase, under the hood your project is actually running on the Google Cloud Platform.
The service account keys you provide us is the only way how we can have an access to your Firebase or GCP account. We need this access in order to deploy the pipeline's code.
Yes. We have to store those keys in order to deploy new version of a pipeline every time you update it.
Ideally, yes. Using a different service account for each pipeline is the most secure way for you to make sure you aren't granting us more permissions than we really need. Nothing prevents you from using the same service account for each pipeline though.