How to Use Secrets in Firebase Functions Securely
To use
secrets in Firebase Functions, store sensitive values using Firebase environment config or Google Secret Manager, then access them in your function code via functions.config() or the Secret Manager client. This keeps secrets out of your code and safe during deployment.Syntax
Firebase Functions supports secrets through two main ways: environment configuration and Google Secret Manager. Use firebase functions:config:set key=value to set environment variables, then access them in code with functions.config().key. For Secret Manager, use the @google-cloud/secret-manager client to access secrets securely.
Example parts:
firebase functions:config:set: sets secret values in environment config.functions.config(): reads environment config in your function.SecretManagerServiceClient: accesses secrets stored in Google Secret Manager.
typescript
import * as functions from 'firebase-functions'; import {SecretManagerServiceClient} from '@google-cloud/secret-manager'; // Access environment config secret const apiKey = functions.config().service.apikey; // Access secret from Secret Manager const client = new SecretManagerServiceClient(); async function getSecret() { const [version] = await client.accessSecretVersion({ name: 'projects/PROJECT_ID/secrets/SECRET_NAME/versions/latest', }); const payload = version.payload?.data?.toString('utf8'); return payload; }
Example
This example shows how to set a secret API key using Firebase environment config and access it in a Firebase HTTPS function.
typescript
import * as functions from 'firebase-functions'; // Access the secret API key from environment config const apiKey = functions.config().service.apikey; export const helloSecret = functions.https.onRequest((request, response) => { response.send(`Your secret API key is: ${apiKey}`); });
Output
Your secret API key is: YOUR_API_KEY_VALUE
Common Pitfalls
Common mistakes when using secrets in Firebase Functions include:
- Not setting environment config before deploying, causing
functions.config()to be empty. - Committing secrets directly in code, risking exposure.
- Forgetting to redeploy functions after updating secrets.
- Using Secret Manager without proper IAM permissions, causing access errors.
Always keep secrets out of code and verify permissions.
typescript
/* Wrong way: hardcoding secret in code */ const apiKey = 'hardcoded-secret'; // Avoid this /* Right way: use environment config */ const apiKey = functions.config().service.apikey; // Set with firebase functions:config:set
Quick Reference
| Command / Code | Purpose |
|---|---|
| firebase functions:config:set service.apikey="YOUR_API_KEY" | Set secret in environment config |
| functions.config().service.apikey | Access secret in function code |
| npm install @google-cloud/secret-manager | Install Secret Manager client |
| SecretManagerServiceClient().accessSecretVersion() | Retrieve secret from Secret Manager |
| firebase deploy --only functions | Deploy functions with updated secrets |
Key Takeaways
Never hardcode secrets in your Firebase Functions code.
Use Firebase environment config or Google Secret Manager to store secrets securely.
Access secrets in code with functions.config() or Secret Manager client.
Always set secrets before deploying and redeploy after updates.
Ensure proper IAM permissions when using Secret Manager.