I’m building a backend using Firebase Cloud Functions for a React Native app, and I need to securely store API keys. I’ve seen in the Firebase docs that Google recommends using Secret Manager, but since Secret Manager is a paid service, I’m looking for alternative approaches to keep costs low.
My setup is as follows:
The API keys would only be accessed within Firebase Cloud Functions and not exposed client-side.
The React Native app calls the Firebase functions, which in turn use the API keys server-side.
Given this setup, I’m considering using an .env file inside the functions/ directory to store the keys, which would then be accessed via process.env in my code.
Questions:
Is storing sensitive information in an .env file within Firebase Cloud Functions a secure enough approach?
Are there potential security risks or deployment pitfalls I should be aware of when using .env files in this context?
Would using Secret Manager still be advisable here, despite the cost?
Any advice or best practices would be really appreciated. Thanks!
2
Answers
You’ll need to be specific what type of abuse angle(s) you want to be protected against.
For example:
.env
file that you put on your GCP environment, then anyone with access to that environment can access you API keys.Is that a concern for you?
.env
file as client-side access does not allow seeing the files on the server (neither the source code for your Cloud Functions, nor any other files you deploy there) unless you specifically provide such access yourself.Firebase says to use Parameterized configuration along w Cloud Secret Manager. If you want free free, Hashicorp Vault offer a community edition server that you can run yourself and this would act as your Cloud Secret Manager service (for "free").
source
Hashicorp Vault offers a free community edition server that you can self host/run.