How does one set private environment variables on Firebase hosting?

Question

With Divshot shutting down recently, I've switched a number of applications over to Firebase hosting. Some of these apps connect to external APIs, so I need a way to store private environment variables (for example, a secret key for S3 access) on Firebase hosting - anyone have any ideas? There's this article - https://www.firebase.com/blog/2015-10-29-managing-development-environments.html - but that's only for non-private environment variables.

Thanks!

Answer 1

Firebase Hosting can not store private environment variables. It is for static hosting only. If you want to use a private variable, you will need to do that server side.

If you want a "Firebase way" to handle secrets, you can use Firebase Cloud Functions, and set an environment variable in cloud functions. Here is the link to the documentation on how to do so: https://firebase.google.com/docs/functions/config-env

If you don't have cloud functions added to your Firebase hosting you can do so via the Firebase cli tools:

firebase init functions npm install --save firebase-functions@latest npm install -g firebase-tools 

More about that here: https://firebase.google.com/docs/hosting/functions

In order to set environment variables in cloud functions, you can do so from the command line as well like so:

firebase functions:config:set someservice.key="THE API KEY" someservice.id="THE CLIENT ID" 

You can then access the variables from a function like so:

const functions = require('firebase-functions'); const request = require('request-promise');  exports.userCreated = functions.database.ref('/users/{id}').onWrite(event => {   let email = event.data.child('email').val();    return request({     url: 'https://someservice.com/api/some/call',     headers: {       'X-Client-ID': functions.config().someservice.id,       'Authorization': `Bearer ${functions.config().someservice.key}`     },     body: {email: email}   }); }); 

Answer 2

You could try out Google's Secret Manager API.

The reasons why this is more secure than storing it as environment variables in Firebase Cloud Functions are:

1. The Secret Manager API enforces the principle of least privilege. This means that you can restrict access to the secrets and hence only allow authorized users to view/edit the secrets.
2. The secrets are encrypted using AES-256.
3. There is an audit logging feature that you can use for anomaly detection.

For more examples of the source codes, you can have a look at the Google Cloud's Secret Manager NPM Package Documentation here.

Hope that it helps!