in the cloud functions is better use firebase config command and then use (for example ; functions.config().stripe.secret_key ) or Google Secret Manager ? From the documentation I can't tell, I only understood that the only thing not to use is the local env and that firebase functions config is actually server-side, so nothing is exposed.
In addition to @John Hanley's comment, storing environment variables in .env files is not recommended as it is not a secure way to store sensitive information such as API keys, credentials, passwords, certificates, and other sensitive data that could be decoded.
Environment variables stored in
.envfiles can be used for function configuration, but you should not consider them a secure way to store sensitive information such as database credentials or API keys. This is especially important if you check your.envfiles into source control.To help you store sensitive configuration information, Cloud Functions for Firebase integrates with Google Cloud Secret Manager. This encrypted service stores configuration values securely, while still allowing easy access from your functions when needed.
It is recommended to create and use a secret manager to secure your sensitive information. You can check this documentation on configuring your environment and storing and accessing sensitive configuration information for Firebase.
You can check this documentation on Secret Manager for more details on how to manage and secure your secret.