playbooks

home / skills / hitoshura25 / claude-devtools / android-service-account-guide

android-service-account-guide skill

/skills/android-service-account-guide

This skill guides you through creating a Google Cloud service account for Play Store API access and securely configuring keys.

npx playbooks add skill hitoshura25/claude-devtools --skill android-service-account-guide

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
6.4 KB
---
name: android-service-account-guide
description: Step-by-step guide for creating Google Cloud service account for Play Store API access
category: android
version: 1.0.0
inputs:
  - package_name: Android app package name
outputs:
  - Service account JSON (user downloads manually)
  - Documentation: distribution/PLAY_CONSOLE_SETUP.md
verify: "User confirms service account created"
---

# Android Service Account Guide

Step-by-step guide for creating a Google Cloud service account with Play Store API access. This is a manual process with documentation.

## Prerequisites

- Google Play Developer account ($25 one-time)
- Google Cloud Platform account (free)
- Admin access to Play Console

## Process

### Step 1: Create Documentation

Create `distribution/PLAY_CONSOLE_SETUP.md`:

```markdown
# Google Play Console Setup

Complete guide for setting up service account and API access.

## Step 1: Create Google Cloud Project

1. Go to: https://console.cloud.google.com/
2. Click "Select a project" → "New Project"
3. Name: "Android App Deployment"
4. Click "Create"
5. Wait for project creation (30 seconds)

## Step 2: Create Service Account

1. In Cloud Console, go to: IAM & Admin → Service Accounts
2. Click "Create Service Account"
3. Name: `playstore-deploy`
4. Description: "Automated Play Store deployment"
5. Click "Create and Continue"
6. Skip role assignment (click "Continue")
7. Click "Done"

## Step 3: Create Service Account Key

1. Find your service account in the list
2. Click ⋮ (three dots) → "Manage keys"
3. Click "Add Key" → "Create new key"
4. Select "JSON"
5. Click "Create"
6. **CRITICAL:** Save the downloaded JSON file securely
   - Store in password manager
   - Never commit to git
   - This is your only copy!

## Step 4: Enable Play Developer API

1. In Cloud Console, go to: APIs & Services → Library
2. Search: "Google Play Android Developer API"
3. Click on it
4. Click "Enable"
5. Wait for activation (30 seconds)

## Step 5: Link to Play Console

1. Go to: https://play.google.com/console/
2. Select your app
3. Go to: Setup → API access
4. Click "Link a Google Cloud project"
5. Select your project from dropdown
6. Click "Link"

## Step 6: Grant Service Account Access

1. Still in Play Console → API access
2. Find your service account in "Service accounts" section
3. Click "Grant access"
4. Check: "Release to production, exclude devices, and use Play App Signing"
5. Click "Apply"
6. Click "Invite user"

## Step 7: Verify Setup

Service account email format:
`playstore-deploy@PROJECT_ID.iam.gserviceaccount.com`

✅ Checklist:
- [ ] Service account created
- [ ] JSON key downloaded and stored securely
- [ ] Play Developer API enabled
- [ ] Cloud project linked to Play Console
- [ ] Service account has "Release" permission
- [ ] Permissions have propagated (wait 5-10 minutes)

## Security Notes

🔒 **Service Account JSON:**
- Contains sensitive credentials
- Store in password manager
- Never commit to version control
- Rotate keys annually
- One key per environment (dev/prod)

🔒 **Permissions:**
- Grant minimum required permissions only
- Review access logs regularly
- Revoke unused accounts
- Use 2FA on Google account
```

### Step 2: Guide User Through Process

**Interactive guidance:**
1. Ask: "Do you have a Google Play Developer account?"
2. Ask: "What is your app's package name?"
3. Display the step-by-step instructions
4. Wait for user confirmation at each major step
5. Verify service account email format

**No automated actions** - this skill is pure documentation and guidance.

### Step 3: Create GitHub Secrets Documentation

Create `distribution/GITHUB_SECRETS.md`:

```markdown
# GitHub Secrets Setup

Add these secrets to your GitHub repository for automated deployment.

## Required Secrets

Go to: Repository → Settings → Secrets and variables → Actions → New repository secret

### 1. SERVICE_ACCOUNT_JSON_PLAINTEXT

**Value:** Entire plaintext contents of the JSON file downloaded in service account setup (not base64 encoded)

**How to add:**
1. Open the service account JSON file
2. Copy entire contents (including { and })
3. Paste as secret value
4. Click "Add secret"

### 2. SIGNING_KEY_STORE_BASE64

**Value:** Base64-encoded production keystore

**How to create:**
```bash
base64 -w 0 keystores/production-release.jks
# OR on macOS:
base64 -i keystores/production-release.jks
```

### 3. SIGNING_KEY_ALIAS

**Value:** `upload` (from KEYSTORE_INFO.txt)

### 4. SIGNING_STORE_PASSWORD

**Value:** Production keystore password (from KEYSTORE_INFO.txt)

### 5. SIGNING_KEY_PASSWORD

**Value:** Production key password (same as store password for PKCS12)

## Verification

After adding secrets:
1. Go to: Repository → Settings → Secrets and variables → Actions
2. Verify all 5 secrets are listed
3. Secrets are encrypted and cannot be viewed after creation
4. Use workflow runs to verify secrets work

## Security Notes

- Never log secret values
- Rotate SERVICE_ACCOUNT_JSON_PLAINTEXT annually
- Keep KEYSTORE_INFO.txt secure (not in git)
- Use environment protection for production deployments
```

## Verification

**User confirmation required:**

Ask user to confirm:
- [ ] Service account created in Google Cloud
- [ ] JSON key downloaded and stored in password manager
- [ ] Play Developer API enabled
- [ ] Service account linked to Play Console
- [ ] Service account has "Release" permission
- [ ] Waited 5-10 minutes for permissions to propagate

## Outputs

| Output | Location | Description |
|--------|----------|-------------|
| Setup guide | distribution/PLAY_CONSOLE_SETUP.md | Complete setup instructions |
| Secrets guide | distribution/GITHUB_SECRETS.md | GitHub Secrets documentation |
| Service account JSON | User's secure storage | Downloaded by user manually |

## Troubleshooting

### "Cannot create service account"
**Cause:** Billing not enabled
**Fix:** Link billing account in Google Cloud (API is free)

### "Service account not appearing in Play Console"
**Cause:** Propagation delay
**Fix:** Wait 1-2 minutes, refresh page, clear browser cache

### "API enable button grayed out"
**Cause:** Wrong project selected or insufficient permissions
**Fix:** Verify project selection, check you have Owner/Editor role

## Completion Criteria

- [ ] distribution/PLAY_CONSOLE_SETUP.md created
- [ ] distribution/GITHUB_SECRETS.md created
- [ ] User confirms service account created
- [ ] User confirms JSON key downloaded and secured
- [ ] User confirms permissions granted in Play Console

Overview

This skill is a concise, step-by-step guide to create a Google Cloud service account and configure Play Store API access for automated Android deployments. It documents the exact Cloud Console and Play Console steps, key handling, and required GitHub secrets. The skill emphasizes security practices and includes verification and troubleshooting tips. Use it to prepare a deployment-safe service account and repository secret setup.

How this skill works

The guide walks you through creating a Google Cloud project, a service account, and a JSON key, then enabling the Google Play Developer API and linking the Cloud project to the Play Console. It shows how to grant the service account the Release permission in the Play Console and how to add the necessary GitHub repository secrets for CI/CD deployment. The skill is purely instructional—no automated changes are performed; it prompts for user confirmation at major steps.

When to use it

  • Setting up CI/CD for Android app releases to Google Play
  • Preparing a dedicated service account for Play Store API access
  • Documenting deployment steps for team onboarding
  • Adding secure GitHub secrets for release workflows
  • Auditing or rotating Play Store service account keys

Best practices

  • Store the downloaded JSON key in a password manager and never commit it to git
  • Grant the minimum Play Console permissions needed (use Release scope only)
  • Rotate service account keys at least annually and maintain one key per environment
  • Verify permissions propagation by waiting 5–10 minutes before testing deployments
  • Use repository protection and environment rules for production deployment workflows

Example use cases

  • Create a playstore-deploy service account and download the JSON key for CI runners
  • Enable Google Play Android Developer API for a new Cloud project and link it to the Play Console
  • Populate GitHub secrets: SERVICE_ACCOUNT_JSON_PLAINTEXT and signing key values for automated releases
  • Verify that the service account email matches playstore-deploy@PROJECT_ID.iam.gserviceaccount.com before granting access
  • Troubleshoot common errors like missing billing or wrong project selection during API enablement

FAQ

What should I do if the Play Console does not show the service account?

Wait 1–2 minutes for propagation, refresh the page, and clear the browser cache. Confirm the Cloud project linked matches the project where the service account exists.

How do I safely add the JSON key to GitHub secrets?

Open the JSON file, copy the entire plaintext contents (including braces), and paste it into a new Actions secret named SERVICE_ACCOUNT_JSON_PLAINTEXT. Do not base64-encode it and never log the value.