FCM Service Account Private Key Setup

This guide walks you through setting up Firebase Cloud Messaging (FCM) for enabling push notifications in Android apps using a security-focused, least-privilege approach.

The process has three steps:

1. Create a least-privilege IAM role for push messaging.
2. Generate a service account private key.
3. Upload or hand over the key depending on your app type.

Prerequisites

You must have a Firebase account and project for your application to start using FCM. If you do not have them, complete the following before proceeding:

• Create a Google account at accounts.google.com.
• Create a Firebase project at console.firebase.google.com.

1. Create a Push Notification Role

You need a service account assigned a role with the cloudmessaging.messages.create permission.

1. Sign in to console.firebase.google.com.
2. On the Firebase console, select your softphone project.
3. Select the Project Overview Settings icon > Project settings.
4. On the Project settings pane:
   1. Select the Cloud Messaging tab.
   2. Select Manage Service Accounts of the desired Sender ID.
5. In the IAM & Admin section, select Roles on the left navigation menu.
6. On the Roles pane, select + CREATE ROLE at the top navigation bar.

7. Under Create Role, enter a descriptive name for this role in the Title and ID fields.

   Example

   • Title - Acrobits Push Role
   • ID - AcrobitsPushRole

8. Select + ADD PERMISSION, search for cloudmessaging.messages.create, and select its check box.

   Tip

   To filter for quicker search, enter "cloudmessaging" in the filter field, then select cloudmessaging.messages.create from the suggestions.

9. Select ADD, then select Create at the bottom of the pane.

2. Create a Service Account

1. In the IAM & Admin section, select Service Account on the left navigation menu.
2. Select + CREATE SERVICE ACCOUNT at the top navigation bar.

3. Under Service account details, enter a descriptive name and description.

   Example

   • Service account name - Acrobits Push Service account
   • Service account description - Allow Acrobits to send pushes.

4. Select CREATE AND CONTINUE.

5. In Grant this service account access to project, select the Select a role drop-down and search for the role created in the previous section (e.g., Acrobits Push Role). Select it.

   Tip

   Enter the role title in the Type to filter field to find it quickly.

6. Select CONTINUE.

   Note

   In Grant users access to this service account, you may leave the Service account users role and Service account admins role fields blank.

7. Select DONE.

3. Download the Service Account Private Key

1. In the IAM & Admin section, select Service Account on the left navigation menu.
2. Locate the service account that handles push notifications.
3. Under the Actions column, select the three-dot menu > Manage keys.
4. Select ADD KEY > Create new key.
5. Ensure the JSON radio button is selected.
6. Select CREATE.
7. Save the private key file to your local computer.

4. Deploy the Private Key

Cloud Softphone White-LabelSDK-Based App

1. Log in to the Cloud Softphone portal at providers.cloudsoftphone.com.
2. Select your white-label app softphone project.
3. Select the Edit button of the Whitelabel options.
4. At the Android Firebase Private Key section, select the Select file button.
5. Locate and upload the private key file in JSON format.

Contact your Acrobits representative through your designated SDK support channel to arrange a secure key handover. Once received, the Acrobits team will deploy the key to the appropriate environment on your behalf.