firebasegoogle-cloud-platformgoogle-cloud-functionsenvironment-variablesgoogle-secret-manager

Is it secure to use an .env file to store API keys in Firebase Cloud Functions instead of Google Secret Manager?


I'm building a backend using Firebase Cloud Functions for a React Native app, and I need to securely store API keys. I’ve seen in the Firebase docs that Google recommends using Secret Manager, but since Secret Manager is a paid service, I'm looking for alternative approaches to keep costs low.

My setup is as follows:

The API keys would only be accessed within Firebase Cloud Functions and not exposed client-side. The React Native app calls the Firebase functions, which in turn use the API keys server-side. Given this setup, I’m considering using an .env file inside the functions/ directory to store the keys, which would then be accessed via process.env in my code.

Questions:

Is storing sensitive information in an .env file within Firebase Cloud Functions a secure enough approach? Are there potential security risks or deployment pitfalls I should be aware of when using .env files in this context? Would using Secret Manager still be advisable here, despite the cost? Any advice or best practices would be really appreciated. Thanks!


Solution

  • You'll need to be specific what type of abuse angle(s) you want to be protected against.

    For example: