9

I'm writing some Firebase Cloud Functions but I have need to hide a private key, including from Firebase project admins.

If I embedded this key into my source code and uploaded the code myself, would it be possible for anyone to retrieve the source code and thus the key? Either via Firebase or Google?

Many thanks

Alistair Lowe
  • 93
  • 1
  • 4

3 Answers3

10

The code for your Cloud Functions is never accessible to users of your app.

It is however accessible for the collaborators on your Firebase project. See Get code from firebase console which I deployed earlier

I don't think there's any way to hide such configuration values from collaborators. Since they can see/deploy code, and the code needs access to this private key, they by definition have access to the key too.

Frank van Puffelen
  • 418,229
  • 62
  • 649
  • 645
2

Maybe setting an environmental variable:

Oficial Doc

cutiko
  • 7,465
  • 3
  • 38
  • 48
  • I don't see any mention of it in the documentation, at the bottom there are a couple of extra commands, but none does the getEnviromentals... I have worked with environmental variables in other places like Heroku, and by that experience, I can tell that you can't get them back, that is why is relatively safe, this way different people (using Amazon for example) can use personal keys for local developing and then production get special keys. Please be aware, part of security is to also rotate keys. – cutiko Jul 26 '17 at 16:34
1

Answering precisely to your question: Yes, they can.

The step by step to achieve that is relatively simple

  1. Go into the GCP Functions page
  2. Select the function you want to inspect
  3. Click on source (From there you should be able to see all the files and the code used by that function), or;
  4. Click on variables (From there you should see all environment variables used by your function)

If that approach seems like problematic to you, here's a way to make things more secure:

You can build on what you already and start encrypting those keys before adding them to the codebase or the environment variables. After that, you can use an encryption service such as KMS to decrypt those keys at runtime. In KMS itself you can have a stricter policy in there, only allowing yourself and the function to access that service.

Jean Costa
  • 46
  • 2