Search code examples
firebasegoogle-cloud-platformgoogle-cloud-functionsenvironment-variablesgoogle-secret-manager

Is it secure to use an .env file to store API keys in Firebase Cloud Functions instead of Google Secret Manager?


I'm building a backend using Firebase Cloud Functions for a React Native app, and I need to securely store API keys. I’ve seen in the Firebase docs that Google recommends using Secret Manager, but since Secret Manager is a paid service, I'm looking for alternative approaches to keep costs low.

My setup is as follows:

The API keys would only be accessed within Firebase Cloud Functions and not exposed client-side. The React Native app calls the Firebase functions, which in turn use the API keys server-side. Given this setup, I’m considering using an .env file inside the functions/ directory to store the keys, which would then be accessed via process.env in my code.

Questions:

Is storing sensitive information in an .env file within Firebase Cloud Functions a secure enough approach? Are there potential security risks or deployment pitfalls I should be aware of when using .env files in this context? Would using Secret Manager still be advisable here, despite the cost? Any advice or best practices would be really appreciated. Thanks!


Solution

  • You'll need to be specific what type of abuse angle(s) you want to be protected against.

    For example:

    • If you keep the API keys in a .env file that you put on your GCP environment, then anyone with access to that environment can access you API keys.
      Is that a concern for you?
      • If so, then the approach is not secure enough to address your concerns.
      • If it isn't, then the approach is secure enough against that specific concern.
    • If you concern is if somebody with only client-side access to the Cloud Functions can access the API keys, then the answer is "no" in both cases: with either secret manager or a .env file as client-side access does not allow seeing the files on the server (neither the source code for your Cloud Functions, nor any other files you deploy there) unless you specifically provide such access yourself.