I am developing a small firebase app and, as part of it, I have some backend functions that make calls to an API using an API key. To avoid storing the key in version control, I define it using defineString
in my functions index.ts
. However, I recently became aware of a different defineSecret
method. How big of a difference is there between the two and is it insecure to use defineString
for my API key?
This is covered in the documentation for v2 functions (emaphasis mine) (defineSecret is not available in v1 functions):
Parameters of type Secret, defined using defineSecret(), represent string parameters which have a value stored in Cloud Secret Manager. Instead of checking against a local .env file and writing a new value to the file if missing, secret parameters check against existence in Cloud Secret Manager, and interactively prompt for the value of a new secret during deployment.
Security is not a black or white issue. It's not inherently "insecure" to use defineString. Only you can discern how secure it is based on your own handling of the data it uses. If you're the only one who uses these strings and the data files where they are stored, then you might not have any problems. But if you have to share these strings and data with others in the same project, then you might have a problem. We have no idea what your situation is.
You might want to read up on Cloud Secret Manager to better understand the security problems it's meant to solve, the decide for yourself if it's a good idea to use it or not.