Skyes Over London LC
Drive + Env Setup
Home/AE Command Hub/Drive + Environment Setup
Internal setup page: this page exists so the owner/operator can configure the contractor packet upload system without hunting through docs or guessing which value goes where.
Required before live contractor packet uploads

Google Drive + Netlify env setup
for contractor paperwork storage.

The contractor onboarding form is already wired to a Netlify Function. That function can save W-9s, signed acknowledgments, optional ID files, payout profiles, and contractor packet summaries into your Google Drive. To make it work live, set four environment variables: GOOGLE_DRIVE_FOLDER_ID, GOOGLE_SERVICE_ACCOUNT_EMAIL, GOOGLE_PRIVATE_KEY, and CONTRACTOR_PACKET_ENCRYPTION_KEY_BASE64.

Start SetupCopy Value Map

Fast checklist

Do these steps in order. The Drive folder and service account must be connected before the upload function can save real files.

Owner/admin only
1. Create or choose a Google Cloud project. Open Google Cloud Console, create/select a project, then enable the Google Drive API for that project. Official docs: Google Cloud API getting started and Enable/disable APIs.
2. Create a service account. In Google Cloud, go to IAM & Admin → Service Accounts → Create service account. Name it something clear like skyes-contractor-packets. Official docs: Create service accounts.
3. Create a JSON key. Open the service account → Keys → Add key → Create new key → JSON. Download the file once and store it securely. Official docs: Create and delete service account keys.
4. Create a Drive folder for packets. In Google Drive, create a folder named Skyes AE Contractor Packets. Open it and copy the folder ID from the URL. Google Drive API treats folders as Drive files with the folder MIME type; official folder docs are here: Create and populate folders.
5. Share that folder with the service account. The service account has an email address ending in .iam.gserviceaccount.com. Share the Drive folder with that email as Editor. The upload function writes into that folder using the service account.
6. Generate the encryption key. Run the Node command below or use OpenSSL. This produces the 32-byte base64 key used to encrypt payout profile details before they are uploaded.
7. Add all four variables in Netlify. In Netlify, open your site → Site configuration → Environment variables → Add variables. Set the scope so Functions can access them. Netlify notes that environment variables are available to functions when the function scope is included. Official docs: Get started with environment variables and Environment variables and functions.
8. Redeploy and test. After adding variables, trigger a new deploy. Then open /ae-command-hub/onboarding.html, submit a test packet, and confirm a new folder appears inside your Drive packet folder.

Exactly what each variable means

Use this table when you are copying values into Netlify. Do not paste the entire JSON key into every variable. Only paste the matching field.

Value map
Netlify variableWhere to get itWhat it looks likeCommon mistake
GOOGLE_DRIVE_FOLDER_IDOpen your Drive folder and copy the folder ID from the URL after /folders/.1AbCDeFgHIjKlmNoPqRstUV...Do not paste the full folder URL. Paste only the ID.
GOOGLE_SERVICE_ACCOUNT_EMAILOpen the downloaded JSON key and copy the client_email value.skyes-contractor-packets@project-id.iam.gserviceaccount.comDo not use your Gmail address here.
GOOGLE_PRIVATE_KEYOpen the downloaded JSON key and copy the full private_key value.-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\nDo not remove the \n sequences. The included function converts them back into real line breaks.
CONTRACTOR_PACKET_ENCRYPTION_KEY_BASE64Generate a 32-byte base64 key using the command below.uM2...base64...=Do not invent a password. It must decode to exactly 32 bytes.

Generate the encryption key

The upload function uses AES-256-GCM and expects a base64 value that decodes to exactly 32 bytes. Node's official crypto documentation includes crypto.randomBytes(size), which generates cryptographically strong random data.

Copy one command

Node command

node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"

Use this if Node is installed locally, in Codespaces, or in a Netlify/terminal environment.

OpenSSL command

openssl rand -base64 32

Use this if OpenSSL is available in your terminal.

Key rule: save this value in Netlify and nowhere public. If it leaks, generate a new key, update Netlify, redeploy, and treat old encrypted payout-profile files as needing the old key to decrypt.

Netlify setup path

Use the Netlify UI first. It is safer than hardcoding secrets in the repo. The function reads these values from process.env at runtime.

No secrets in Git

UI steps

  1. Open Netlify.
  2. Select the deployed Skyes Over London site.
  3. Open Site configuration.
  4. Open Environment variables.
  5. Add each variable from the value map.
  6. Mark secret/sensitive values as secret if your plan/UI exposes that option.
  7. Make sure the variables are available to Functions.
  8. Trigger a fresh deploy.

Variable names to add

GOOGLE_DRIVE_FOLDER_ID=
GOOGLE_SERVICE_ACCOUNT_EMAIL=
GOOGLE_PRIVATE_KEY=
CONTRACTOR_PACKET_ENCRYPTION_KEY_BASE64=

Do not commit these values to GitHub. Keep them in Netlify environment variables only.

Google Drive folder setup

The easiest reliable setup is to create the folder manually in your own Drive, then share it with the service account as Editor.

Folder ID walkthrough

Find the folder ID

Open the folder in Drive. The URL usually looks like this:

https://drive.google.com/drive/folders/FOLDER_ID_HERE

Copy only FOLDER_ID_HERE.

Share the folder

Click Share. Paste the service account email. Set it to Editor. Save.

Without this, the function will authenticate but fail to create folders/files.

Confirm upload path

Submit one test onboarding packet. You should see a child folder named like ae-YYYYMMDD... inside the Drive folder.

Google Drive upload docs explain API file uploads and Drive folder docs explain folder behavior.

Service account JSON cheat sheet

Open the JSON key file in a text editor. You are looking for these fields.

Do not upload this JSON publicly
{
  "type": "service_account",
  "project_id": "your-project-id",
  "private_key_id": "...",
  "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
  "client_email": "skyes-contractor-packets@your-project-id.iam.gserviceaccount.com",
  "client_id": "..."
}
Security warning: the service account private key is effectively a password for that service account. Store it in Netlify environment variables only, rotate it if it leaks, and do not paste it into chat, GitHub, public docs, screenshots, or emails.

Test checklist

Use this after Netlify redeploys.

Go / no-go

Pass conditions

  • /ae-command-hub/onboarding.html opens behind the protected login.
  • The form submits without a server error.
  • A new folder appears inside the Google Drive packet folder.
  • The folder contains the uploaded W-9 file.
  • The folder contains contractor-onboarding-summary.json.
  • The folder contains contractor-payment-profile.encrypted.json.
  • The folder contains contractor-agreement-acceptance.html.

If it fails

  • Missing environment variables: confirm all four names are spelled exactly.
  • Invalid private key: make sure GOOGLE_PRIVATE_KEY includes the full key and \n sequences.
  • Permission denied: share the Drive folder with the service account email as Editor.
  • Encryption key error: regenerate with the Node command and confirm it is base64 from 32 bytes.
  • Changes not taking effect: redeploy after updating Netlify variables.
Final owner note: this setup stores contractor tax and payout records. Keep Drive access restricted to ownership/admin staff only. Do not expose packet folders to AEs, clients, or public links.