skip to Main Content

I’m building a backend using Firebase Cloud Functions for a React Native app, and I need to securely store API keys. I’ve seen in the Firebase docs that Google recommends using Secret Manager, but since Secret Manager is a paid service, I’m looking for alternative approaches to keep costs low.

My setup is as follows:

The API keys would only be accessed within Firebase Cloud Functions and not exposed client-side.
The React Native app calls the Firebase functions, which in turn use the API keys server-side.
Given this setup, I’m considering using an .env file inside the functions/ directory to store the keys, which would then be accessed via process.env in my code.

Questions:

Is storing sensitive information in an .env file within Firebase Cloud Functions a secure enough approach?
Are there potential security risks or deployment pitfalls I should be aware of when using .env files in this context?
Would using Secret Manager still be advisable here, despite the cost?
Any advice or best practices would be really appreciated. Thanks!

2

Answers


  1. You’ll need to be specific what type of abuse angle(s) you want to be protected against.

    For example:

    • If you keep the API keys in a .env file that you put on your GCP environment, then anyone with access to that environment can access you API keys.
      Is that a concern for you?

      • If so, then the approach is not secure enough to address your concerns.
      • If it isn’t, then the approach is secure enough against that specific concern.
    • If you concern is if somebody with only client-side access to the Cloud Functions can access the API keys, then the answer is "no" in both cases: with either secret manager or a .env file as client-side access does not allow seeing the files on the server (neither the source code for your Cloud Functions, nor any other files you deploy there) unless you specifically provide such access yourself.
    Login or Signup to reply.
  2. Firebase says to use Parameterized configuration along w Cloud Secret Manager. If you want free free, Hashicorp Vault offer a community edition server that you can run yourself and this would act as your Cloud Secret Manager service (for "free").

    Often you’ll need additional configuration for your functions, such as
    third-party API keys or tuneable settings.

    You can choose between these options:

    • Parameterized configuration (recommended for most scenarios).
    • File-based configuration of environment variables.

    For most use cases, parameterized configuration is recommended.

    source

    Hashicorp Vault offers a free community edition server that you can self host/run.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search