I'm working with the firebase admin SDK in AWS. the first step is to initialize your app with the credentials file. The main problem I have is that firebase expects a path to the JSON file with the credentials. Not for you to just pass them in the request.
My issue is that I don't want to store the credentials file in the lambda package, or within the lambda layer, as that doesn't seem like the most secure option to me. Using AWS Secret manager would be ideal, but then I'd have to create that JSON file for every new lambda container that spins up. This could be costly overall.
The last option I thought of was to store the credential file in S3 and just block all access except from a certain lambda. Not sure what the best option/best practice would be. Looking for some guidance.
AWS lambda supports reading the secrets only once at the initialization during the first invocation, the secret is stored in the execution environments and the next invocation can reuse it. That might help to decrease the number of calls, cost, and execution time while the secret is stored securely on Secrets manager. You can find more information in the next blog post.
https://aws.amazon.com/blogs/compute/securely-retrieving-secrets-with-aws-lambda
An alternative is to use the parameter store, it is cheaper but also adds some extra time to execute