I followed the instructions in this tutorial in order to initialize firebase-admin with environment variables, instead of hard-coded service account keys.
I added an .env file and placed my service account json accordingly:
GOOGLE_APPLICATION_CREDENTIALS=.service-accounts/development.json
Then I initialized the SDK in the following manner:
import * as admin from 'firebase-admin';
admin.initializeApp({
credential: admin.credential.applicationDefault()
});
Finally, I made sure to add the .service-account directory to my .gitignore:
.service-accounts/
However, when I merged my branch and ran my GitHub workflow that deploys my functions , I realized that it's going to fail because it won't be able to find the service accounts because they are not present in the repo.
How can I pass a service account, stored as a GitHub secret, to the admin initialization function so that I can still use applicationDefault()?
If that's not possible, what's the alternative?
After some additional research, I found a solution in the official docs, although it doesn't necessarily answer the exact question I initially asked.
Anyway, it turned out that when you're deploying to Firebase/GCP, you don't have to specify a service account at all:
Once you have created a Firebase project, you can initialize the SDK with Google Application Default Credentials. Because default credentials lookup is fully automated in Google environments, with no need to supply environment variables or other configuration, this way of initializing the SDK is strongly recommended for applications running in Google environments such as Cloud Run, App Engine, and Cloud Functions.
So all you need to do is call initializeApp():
import * as admin from 'firebase-admin';
admin.initializeApp();