How to Securely Manage Secrets in Firebase Cloud Functions (6.3.2+)
Avoid Security Risks: How to Properly Handle Secrets in Firebase Cloud Functions
Introduction
Managing secrets properly is crucial when working with Firebase Cloud Functions. Hardcoding sensitive information like API keys or account credentials can lead to security vulnerabilities and breaches. Instead, Firebase provides a built-in way to securely store and retrieve secrets using Google Cloud Secret Manager.
In this guide, we will cover the four key pillars of managing secrets in Firebase:
- Defining Secrets
- Setting Secrets in the Cloud Console
- Correctly Calling Secrets in Functions
- Passing Secrets to Make Them Accessible
By the end of this guide, you’ll be able to securely manage and use secrets in your Firebase project.
1. Defining Secrets
Before setting up secrets, identify which credentials or sensitive information should be stored securely. Common examples include:
- API keys (e.g., Cloudflare API key)
- Account credentials (e.g., email and authentication tokens)
- Zone IDs or other environment-specific identifiers
For our example, we will use the following secrets:
CLOUDFLARE_API_KEYCLOUDFLARE_ACCOUNT_IDCLOUDFLARE_EMAILCLOUDFLARE_ZONE_ID
2. Setting Secrets in Firebase Cloud Console
Once you have defined your secrets, you need to store them securely in Firebase. Use the following commands to add secrets to Google Cloud Secret Manager:
# Set up Cloudflare API Key
firebase functions:secrets:set CLOUDFLARE_API_KEY
# Set up Cloudflare Account ID
firebase functions:secrets:set CLOUDFLARE_ACCOUNT_ID
# Set up Cloudflare Email
firebase functions:secrets:set CLOUDFLARE_EMAIL
# Set up Cloudflare Zone ID
firebase functions:secrets:set CLOUDFLARE_ZONE_ID
When prompted, enter the appropriate values for each secret. These credentials will now be stored securely and accessible only to your Firebase Cloud Functions.
3. Correctly Calling Secrets in Firebase Functions
Once your secrets are set, you need to correctly call them in your Cloud Functions. You can retrieve secrets by specifying them in the function configuration using the secrets parameter.
Here’s an example of how to correctly reference secrets in a Firebase function:
import { onRequest } from "firebase-functions/v2/https";
export const test = onRequest({
region: "europe-west3", // Set preferred region to reduce latency
secrets: ["CLOUDFLARE_API_KEY", "CLOUDFLARE_ACCOUNT_ID", "CLOUDFLARE_EMAIL", "CLOUDFLARE_ZONE_ID"], // Bind all secrets to the function
}, async (request, response) => {
const result = await provisionSubdomain("katharina", "test_Old", "test_user", "test_site");
response.send(result);
});
This function binds all four secrets, ensuring they are available inside the function runtime.
4. Passing Secrets to Make Them Accessible
One common mistake developers make is forgetting to explicitly pass secrets into their functions. If a secret is not included in the secrets array, it will not be accessible inside the function.
To avoid this, always specify secrets in the onRequest configuration:
secrets: ["CLOUDFLARE_API_KEY", "CLOUDFLARE_ACCOUNT_ID", "CLOUDFLARE_EMAIL", "CLOUDFLARE_ZONE_ID"]
Another mistake is to have duplicated environment variables in your .env file. Remove the duplicates to prevent npm run deploy from failing.
Meaning if you set CLOUDFLARE_ACCOUNT_ID to be a secret it cannot also be in .env file.
This ensures that your function can securely access the required credentials without exposing them in your source code.
Conclusion
Properly managing secrets in Firebase Cloud Functions enhances security and prevents accidental exposure of sensitive data. By following these steps—defining secrets, setting them in the cloud, correctly calling them, and explicitly passing them—you can ensure a robust and secure implementation.
Secure your functions today by implementing these best practices, and keep your Firebase applications safe from unauthorized access!