Skip to main content
← Documentation

Chat secrets (Firebase + admin)

Secrets are created in your GCP project (e.g. the one in Terraform project_id). Cloud Run service account needs roles/secretmanager.secretAccessor on each secret (Terraform or IAM bindings).

1. Add Firebase service account JSON

From a file (recommended; keep it out of shell history):

gcloud secrets versions add firebase-service-account \
  --data-file=path/to/your-firebase-service-account.json \
  --project=YOUR_PROJECT_ID

Or from stdin (paste the JSON, then Ctrl+D):

gcloud secrets versions add firebase-service-account --data-file=- --project=YOUR_PROJECT_ID

2. Add admin secret (for /admin/conversations)

echo -n 'your-chosen-admin-password' | gcloud secrets versions add admin-secret --data-file=- --project=YOUR_PROJECT_ID

3. Deploy

After both secrets have at least one version, the next push to main (or Cloud Build deploy) will inject them into Cloud Run via cloudbuild.yaml.

Optional: use the script

Put your Firebase JSON at .secret/firebase-service-account.json, set ADMIN_SECRET, then:

export PROJECT_ID=your-gcp-project-id
export ADMIN_SECRET=your-admin-password
./scripts/create-chat-secrets.sh

This (re)runs IAM binding and adds versions from the file/env.