Firebase Functions: Where should I store api keys?

PreemPalver2
August 13, 2023
350 views
0 votes
2 Answers

I have a Firebase callable function that utilizes GoogleAuth to access androidpublisher.

In order to authenticate the request, I have to supply data from my service-account-google-play.json file which contains sensitive information

The question is, where should I store this file? right now it’s inside my functions folder which I deployed to Firebase, but that doesn’t seem secure.

I thought about storing the necessary variables such as private_key inside a .env file, but apparently, that isn’t safe either (???)

I heard about services, such as Cloud Secrets, but I don’t want to pay for a service that should be free.

How should I store my API keys without Cloud Secrets?

Code Sample:

exports.test = async ({payload}) => {
  const pathGoogleServiceAccount = process.env.GOOGLE_APPLICATION_CREDENTIALS; // the sensitive json path
  
  const jsonGoogleServiceAccount = await ReadFile(pathGoogleServiceAccount);
  
    const auth = new google.auth.GoogleAuth({
      credentials: {
          client_email: jsonGoogleServiceAccount.client_email,
          private_key: jsonGoogleServiceAccount.private_key, // the data I intend to store securely
      },
      scopes: ['https://www.googleapis.com/auth/androidpublisher'],
  });
}

Tags: firebase google-cloud-functions

Answers

- khaliahreber
- August 13, 2023 at 2:52 pm
- 0 votes
0
Storing of sensitive information such as API keys, private keys, and service account credentials stands as a crucial security contemplation within any application. During Cloud Secrets’ provision of a managed resolution for securely storing secrets, you have the option to examine alternative methods if the preference is to abstain from its use. Here lie a few selections to ponder:
1. Environment Variables:
  The mention of employing environment variables arises, and they can serve as a feasible choice if handled correctly. Nevertheless, in your instance, you are fetching the sensitive data from a JSON file, which might not exemplify the most optimal procedure for managing sensitive credentials. Instead, the setup of environment variables could pertain to individual values (such as client_email and private_key), in contrast to indicating a file path.
2. Firebase Configuration:
  Firebase furnishes a means to securely retain configuration values through the Firebase CLI. The command firebase functions:config:set becomes utilizable for defining configuration values for your functions. These values get stored securely and are accessible within your functions through the utilization of functions.config().
  
  To retain the content of your JSON file, encoding it in base64 format then initializing it as a configuration value becomes a requisite. Yet, keep in mind that this strategy might still harbor restrictions and plausible security considerations, thus warranting judicious employment.
3. Ciphered Data:
  The notion of encrypting the sensitive data and thereafter placing it within a secure repository emerges as a possibility. Nevertheless, this introduces intricacy and may not universally align with all scenarios. Should this avenue be taken, ensuring the proper management and safeguarding of the encryption keys becomes imperative.
4. Dedicated Backend Service:
  Another alternative involves the formulation of a dedicated backend service that oversees the sensitive data and interactions with the external service, such as the Android Publisher API. Through this approach, access to sensitive data can be restricted and maintained independently from your Firebase Functions codebase.
5. Utilization of Cloud Storage:
  Uploading the sensitive JSON file onto a secure location like Google Cloud Storage remains plausible. Following this, access to this storage bucket can be controlled to solely include the essential service accounts.
6. CI/CD Pipelines:
  For instances where continuous integration and deployment (CI/CD) pipelines are embraced, the injection of sensitive data into your functions during the deployment process becomes viable. Through this method, data is not stored directly within your codebase or environment variables.
Login or Signup to reply.

- DougStevenson
- August 13, 2023 at 3:36 pm
- 0 votes
0
right now it’s inside my functions folder which I deployed to firebase, but that doesn’t seem secure.

Unless you can say what the specific problem is, there isn’t a problem. End users won’t have access to the data in your functions deployment unless you manage to write code to expose it to the caller.

thought about storing the neccesary variables such as private_key inside a .env file, but apparently that isn’t safe either (???)

Same thing – unless you can say what the specific problem is, there isn’t a problem.

The problem you’re having right now is that you haven’t defined what "safe" or "secure" actually means for your application. Without a definition, it’s impossible to tell what’s suitable for your situation. If your goal is simply to keep some data out from public view, then you’re probably already doing that. But keep in mind that others with admin level access to your project will still be able to see what you’ve deployed.

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.