Is it possible to retrieve Firebase Cloud Function source code?

Question

I'm writing some Firebase Cloud Functions but I have need to hide a private key, including from Firebase project admins.

If I embedded this key into my source code and uploaded the code myself, would it be possible for anyone to retrieve the source code and thus the key? Either via Firebase or Google?

Many thanks

Answer 1

Answering precisely to your question: Yes, they can.

The step by step to achieve that is relatively simple

1. Go into the GCP Functions page
2. Select the function you want to inspect
3. Click on source (From there you should be able to see all the files and the code used by that function), or;
4. Click on variables (From there you should see all environment variables used by your function)

If people being able to see env variables is problematic to you, here's a way to make things more secure:

You can build on what you already and start encrypting those keys before adding them to the codebase or the environment variables. After that, you can use an encryption service such as KMS to decrypt those keys at runtime. In KMS itself you can have a stricter policy in there, only allowing yourself and the function to access that service.

Another great service from GCP is Google's Secret Manager