android-service-account-guide

# Android Service Account Guide

Step-by-step guide for creating a Google Cloud service account with Play Store API access. This is a manual process with documentation.

## Prerequisites

- Google Play Developer account ($25 one-time)
- Google Cloud Platform account (free)
- Admin access to Play Console

## Process

### Step 1: Create Documentation

Create `distribution/PLAY_CONSOLE_SETUP.md`:

```markdown
# Google Play Console Setup

Complete guide for setting up service account and API access.

## Step 1: Create Google Cloud Project

1. Go to: https://console.cloud.google.com/
2. Click "Select a project" → "New Project"
3. Name: "Android App Deployment"
4. Click "Create"
5. Wait for project creation (30 seconds)

## Step 2: Create Service Account

1. In Cloud Console, go to: IAM & Admin → Service Accounts
2. Click "Create Service Account"
3. Name: `playstore-deploy`
4. Description: "Automated Play Store deployment"
5. Click "Create and Continue"
6. Skip role assignment (click "Continue")
7. Click "Done"

## Step 3: Create Service Account Key

1. Find your service account in the list
2. Click ⋮ (three dots) → "Manage keys"
3. Click "Add Key" → "Create new key"
4. Select "JSON"
5. Click "Create"
6. **CRITICAL:** Save the downloaded JSON file securely
   - Store in password manager
   - Never commit to git
   - This is your only copy!

## Step 4: Enable Play Developer API

1. In Cloud Console, go to: APIs & Services → Library
2. Search: "Google Play Android Developer API"
3. Click on it
4. Click "Enable"
5. Wait for activation (30 seconds)

## Step 5: Link to Play Console

1. Go to: https://play.google.com/console/
2. Select your app
3. Go to: Setup → API access
4. Click "Link a Google Cloud project"
5. Select your project from dropdown
6. Click "Link"

## Step 6: Grant Service Account Access

1. Still in Play Console → API access
2. Find your service account in "Service accounts" section
3. Click "Grant access"
4. Check: "Release to production, exclude devices, and use Play App Signing"
5. Click "Apply"
6. Click "Invite user"

## Step 7: Verify Setup

Service account email format:
`playstore-deploy@PROJECT_ID.iam.gserviceaccount.com`

✅ Checklist:
- [ ] Service account created
- [ ] JSON key downloaded and stored securely
- [ ] Play Developer API enabled
- [ ] Cloud project linked to Play Console
- [ ] Service account has "Release" permission
- [ ] Permissions have propagated (wait 5-10 minutes)

## Security Notes

🔒 **Service Account JSON:**
- Contains sensitive credentials
- Store in password manager
- Never commit to version control
- Rotate keys annually
- One key per environment (dev/prod)

🔒 **Permissions:**
- Grant minimum required permissions only
- Review access logs regularly
- Revoke unused accounts
- Use 2FA on Google account
```

### Step 2: Guide User Through Process

**Interactive guidance:**
1. Ask: "Do you have a Google Play Developer account?"
2. Ask: "What is your app's package name?"
3. Display the step-by-step instructions
4. Wait for user confirmation at each major step
5. Verify service account email format

**No automated actions** - this skill is pure documentation and guidance.

### Step 3: Create GitHub Secrets Documentation

Create `distribution/GITHUB_SECRETS.md`:

```markdown
# GitHub Secrets Setup

Add these secrets to your GitHub repository for automated deployment.

## Required Secrets

Go to: Repository → Settings → Secrets and variables → Actions → New repository secret

### 1. SERVICE_ACCOUNT_JSON_PLAINTEXT

**Value:** Entire plaintext contents of the JSON file downloaded in service account setup (not base64 encoded)

**How to add:**
1. Open the service account JSON file
2. Copy entire contents (including { and })
3. Paste as secret value
4. Click "Add secret"

### 2. SIGNING_KEY_STORE_BASE64

**Value:** Base64-encoded production keystore

**How to create:**
```bash
base64 -w 0 keystores/production-release.jks
# OR on macOS:
base64 -i keystores/production-release.jks
```

### 3. SIGNING_KEY_ALIAS

**Value:** `upload` (from KEYSTORE_INFO.txt)

### 4. SIGNING_STORE_PASSWORD

**Value:** Production keystore password (from KEYSTORE_INFO.txt)

### 5. SIGNING_KEY_PASSWORD

**Value:** Production key password (same as store password for PKCS12)

## Verification

After adding secrets:
1. Go to: Repository → Settings → Secrets and variables → Actions
2. Verify all 5 secrets are listed
3. Secrets are encrypted and cannot be viewed after creation
4. Use workflow runs to verify secrets work

## Security Notes

- Never log secret values
- Rotate SERVICE_ACCOUNT_JSON_PLAINTEXT annually
- Keep KEYSTORE_INFO.txt secure (not in git)
- Use environment protection for production deployments
```

## Verification

**User confirmation required:**

Ask user to confirm:
- [ ] Service account created in Google Cloud
- [ ] JSON key downloaded and stored in password manager
- [ ] Play Developer API enabled
- [ ] Service account linked to Play Console
- [ ] Service account has "Release" permission
- [ ] Waited 5-10 minutes for permissions to propagate

## Outputs

| Output | Location | Description |
|--------|----------|-------------|
| Setup guide | distribution/PLAY_CONSOLE_SETUP.md | Complete setup instructions |
| Secrets guide | distribution/GITHUB_SECRETS.md | GitHub Secrets documentation |
| Service account JSON | User's secure storage | Downloaded by user manually |

## Troubleshooting

### "Cannot create service account"
**Cause:** Billing not enabled
**Fix:** Link billing account in Google Cloud (API is free)

### "Service account not appearing in Play Console"
**Cause:** Propagation delay
**Fix:** Wait 1-2 minutes, refresh page, clear browser cache

### "API enable button grayed out"
**Cause:** Wrong project selected or insufficient permissions
**Fix:** Verify project selection, check you have Owner/Editor role

## Completion Criteria

- [ ] distribution/PLAY_CONSOLE_SETUP.md created
- [ ] distribution/GITHUB_SECRETS.md created
- [ ] User confirms service account created
- [ ] User confirms JSON key downloaded and secured
- [ ] User confirms permissions granted in Play Console