Avoid Security Risks: How to Properly Handle Secrets in Firebase Cloud Functions
Join developers getting comprehensive guides, code examples, optimization tips, and time-saving prompts to accelerate their development workflow.
No spam. Unsubscribe anytime.
Managing secrets properly is crucial when working with Firebase Cloud Functions. Hardcoding sensitive information like API keys or account credentials can lead to security vulnerabilities and breaches. Instead, Firebase provides a built-in way to securely store and retrieve secrets using Google Cloud Secret Manager.
In this guide, we will cover the four key pillars of managing secrets in Firebase:
By the end of this guide, you’ll be able to securely manage and use secrets in your Firebase project.
Before setting up secrets, identify which credentials or sensitive information should be stored securely. Common examples include:
For our example, we will use the following secrets:
CLOUDFLARE_API_KEYCLOUDFLARE_ACCOUNT_IDCLOUDFLARE_EMAILCLOUDFLARE_ZONE_IDOnce you have defined your secrets, you need to store them securely in Firebase. Use the following commands to add secrets to Google Cloud Secret Manager:
# Set up Cloudflare API Key
firebase functions:secrets:set CLOUDFLARE_API_KEY
# Set up Cloudflare Account ID
firebase functions:secrets:set CLOUDFLARE_ACCOUNT_ID
# Set up Cloudflare Email
firebase functions:secrets:set CLOUDFLARE_EMAIL
# Set up Cloudflare Zone ID
firebase functions:secrets:set CLOUDFLARE_ZONE_ID
When prompted, enter the appropriate values for each secret. These credentials will now be stored securely and accessible only to your Firebase Cloud Functions.
Once your secrets are set, you need to correctly call them in your Cloud Functions. You can retrieve secrets by specifying them in the function configuration using the secrets parameter.
Here’s an example of how to correctly reference secrets in a Firebase function:
import { onRequest } from "firebase-functions/v2/https";
export const test = onRequest({
region: "europe-west3", // Set preferred region to reduce latency
secrets: ["CLOUDFLARE_API_KEY", "CLOUDFLARE_ACCOUNT_ID", "CLOUDFLARE_EMAIL", "CLOUDFLARE_ZONE_ID"], // Bind all secrets to the function
}, async (request, response) => {
const result = await provisionSubdomain("katharina", "test_Old", "test_user", "test_site");
response.send(result);
});
This function binds all four secrets, ensuring they are available inside the function runtime.
One common mistake developers make is forgetting to explicitly pass secrets into their functions. If a secret is not included in the secrets array, it will not be accessible inside the function.
To avoid this, always specify secrets in the onRequest configuration:
secrets: ["CLOUDFLARE_API_KEY", "CLOUDFLARE_ACCOUNT_ID", "CLOUDFLARE_EMAIL", "CLOUDFLARE_ZONE_ID"]
Another mistake is to have duplicated environment variables in your .env file. Remove the duplicates to prevent npm run deploy from failing.
Meaning if you set CLOUDFLARE_ACCOUNT_ID to be a secret it cannot also be in .env file.
This ensures that your function can securely access the required credentials without exposing them in your source code.
Properly managing secrets in Firebase Cloud Functions enhances security and prevents accidental exposure of sensitive data. By following these steps—defining secrets, setting them in the cloud, correctly calling them, and explicitly passing them—you can ensure a robust and secure implementation.
Secure your functions today by implementing these best practices, and keep your Firebase applications safe from unauthorized access!