FB
Firebase
Provider Setup

Connect Firebase

ConfigTrace connects to Firebase using a service account key. It monitors Firestore rules, Storage rules, Realtime Database rules, and project/auth configuration — without reading any Firestore documents, Storage files, or user records.

On this page
  1. Prerequisites
  2. Step 1 — Create a service account
  3. Step 2 — Generate a JSON key
  4. Step 3 — Connect in ConfigTrace
  5. Step 4 — Run your first sync
  6. What ConfigTrace monitors
  7. What ConfigTrace never reads

Prerequisites

  • A Firebase project (Blaze plan recommended for full service account support)
  • Owner or Editor role on the project
  • A ConfigTrace workspace (owner or admin role)

Step 1 — Create a service account

  1. 1
    Open Project Settings
    Go to the Firebase Console → Project Settings → Service Accounts tab.
  2. 2
    Open Google Cloud IAM
    Click "Manage service account permissions" — this opens Google Cloud IAM.
  3. 3
    Create the service account
    In Google Cloud IAM, click "Create Service Account". Name it configtrace-readonly and give it a description.
  4. 4
    Assign the Firebase Viewer role
    On the permissions step, assign the role Firebase Viewer (roles/firebase.viewer). This gives read-only access to Firebase project configuration.
  5. 5
    Finish
    Click "Create and continue" then "Done".

Step 2 — Generate a JSON key

  1. 1
    Locate your service account
    Back in Google Cloud IAM, find the service account you created.
  2. 2
    Open key management
    Click the three-dot menu → "Manage keys".
  3. 3
    Create and download the key
    Click "Add key → Create new key → JSON". Download the JSON key file. Keep it secure.

Step 3 — Connect in ConfigTrace

  1. 1
    Open Integrations
    In the ConfigTrace sidebar, click Integrations, then click Connect on the Firebase card.
  2. 2
    Paste your credential
    Paste the contents of your service account JSON key into the credential field.
  3. 3
    Save and validate
    Click Save integration. ConfigTrace will validate the credentials.
Handle your JSON key like a password. ConfigTrace encrypts it before storage, but you should treat the downloaded file as a secret and delete it once you've pasted it into ConfigTrace.

Step 4 — Run your first sync

Click Sync Now on the integration. The first sync captures your Firestore rules, Storage rules, and project configuration as a baseline.

What ConfigTrace monitors

Reads (configuration metadata)
  • Firestore security rules
  • Firebase Storage security rules
  • Realtime Database rules
  • Firebase project metadata and settings
  • Firebase Authentication configuration (authorized domains, sign-in providers, OAuth redirect URIs)
  • Firebase Hosting configuration
  • Cloud Functions metadata (names, triggers, runtime — not function code)
Never reads
  • Firestore collection or document contents
  • Firebase Storage file contents
  • Firebase Auth user records or passwords
  • Cloud Functions source code
  • Secret Manager values
  • Any customer application data

What ConfigTrace never reads

ConfigTrace reads security rules as text (e.g. allow read: if request.auth != null). It never queries or reads the data those rules protect.

For a full breakdown across all providers, see the Data Access & Permissions reference.