03. Identity & Service Accounts: Machine Identities
Status: Active / Evergreen Version: 1.0 (Feb 2026)
"Whose Keys are these? Official Inventory of Service Accounts and IAM Roles."
1. Unified Machine Identity (sysops@)
We use a single authoritative Google Workspace identity for all automated orchestration.
| Identity | Type | Purpose |
|---|---|---|
sysops@singulardream.org |
Workspace User | Owner of GCP Projects, Vercel Administrator, Namecheap API Holder. |
2. Service Account Inventory (GCP)
These are the non-human identities assigned to services for autonomous operations.
A. The Beast & Worker (firebase-adminsdk-fbsvc)
- Project:
singular-dream-dev - Purpose: Backend service execution, data orchestration, and cloud builds.
- Key Roles (Dev Project):
Cloud Run Admin: Manage services.Artifact Registry Admin: Push/Pull images.Cloud Build Editor: Submit builds.Secret Manager Accessor: Read runtime secrets (fallback from Doppler).Firebase Admin: Read/Write to Firestore.
B. Deployment Runner (gh-actions-runner)
- Purpose: CI/CD execution from GitHub.
- Key Roles (All Projects):
Service Account User: Act as the service accounts above during deployment.Cloud Run Developer: Deploy new revisions.
3. Secret Injection Strategy (Native GCP)
Doppler has been decommissioned. We now use Google Cloud Native primitives for secret management.
| Type | Mechanism | Lifecycle |
|---|---|---|
| Build Time | GitHub Secrets | GCP_SA_KEY injected into GitHub Actions for gcloud auth. |
| Runtime (Env) | Cloud Run Env Vars | Managed via Cloud Console (Variables & Secrets). |
| Runtime (Files) | Secret Manager Volumes | Mounted into /secrets if necessary (e.g., Service Account JSONs). |
4. Cloud Run Service Registry
We lock deployment identity using fixed Service Names to prevent drift.
| Service | Service Name | Project ID |
|---|---|---|
| Platform (Staging) | platform-stg |
singular-dream-dev |
| Platform (Prod) | platform |
singular-dream |
| Auth (Staging) | auth-stg |
singular-dream-dev |
| Auth (Prod) | auth |
singular-dream |
5. GitHub Secrets (The Primary Vault)
GitHub Secrets are now the primary vault for CI/CD authentication.
| Secret Name | Purpose | Sync Strategy |
|---|---|---|
GCP_SA_KEY |
Authenticates GitHub Actions to Google Cloud. | Manual (System Admin) |
RESEND_API_KEY |
Email communications (if used in workflows). | Manual |
PUBLIC_DOCS_TOKEN |
GitHub Pages deployment token. | Manual |
6. Environment Variables (Standard Mapping)
All applications follow the Standard 191 naming convention for environment variables.
| Variable | Scope | Description |
|---|---|---|
NEXT_PUBLIC_ENVIRONMENT |
Universal | dev, tst, stg, prd |
NEXT_PUBLIC_AUTH_URL |
Universal | URL of the Auth Service. |
NEXT_PUBLIC_PLATFORM_URL |
Universal | URL of the Platform Service. |
FIREBASE_PROJECT_ID |
Universal | The target GCP project. |
Version History
| Version | Date | Author | Change |
|---|---|---|---|
| 1.1.0 | 2026-02-09 | Antigravity | Added Vercel Project IDs and GitHub Secrets mapping |
| 1.0.0 | 2026-02-09 | Antigravity | Initial creation after Beast migration |