Environment variables

firebase secrets pattern

We provide secrets through the CLI tool:

firebase functions:secrets:set ABC_API_KEY

We then set a secret whitelist for each function, allowing it to access the given secrets:

const options: CallableOptions = {
    region: "europe-west1",
    secrets: ["ABC_API_KEY"],
}

onCall<ReqData, Promise<ResData>>(options, async (request) => {
    const abcKey = process.env.ABC_API_KEY
})

const options = { secrets: ["ABC_API_KEY"] }

onRequest(options, (req, res) => {
    const abcKey = process.env.ABC_API_KEY
})

debug secrets

We list the project's secrets:

gcloud secrets list --project <PROJECT_ID>

.env file pattern

The .env file pattern is worse. It is fine for local debugging. We set the env variables in a non versioned .env file.

ABC_API_KEY=xxx

On deploy, the .env file is automatically detected and deployed along functions. See env-variables docs

The way to access is the same: we read process.env within cloud functions

process.env

firebase secrets pattern

We provide secrets through the CLI tool:

firebase functions:secrets:set ABC_API_KEY

We then set a secret whitelist for each function, allowing it to access the given secrets:

const options: CallableOptions = { region: "europe-west1", secrets: ["ABC_API_KEY"], } onCall<ReqData, Promise<ResData>>(options, async (request) => { const abcKey = process.env.ABC_API_KEY })

const options = { secrets: ["ABC_API_KEY"] } onRequest(options, (req, res) => { const abcKey = process.env.ABC_API_KEY })

debug secrets

We list the project's secrets:

gcloud secrets list --project <PROJECT_ID>

.env file pattern

The .env file pattern is worse. It is fine for local debugging. We set the env variables in a non versioned .env file.

ABC_API_KEY=xxx

On deploy, the .env file is automatically detected and deployed along functions. See env-variables docs

The way to access is the same: we read process.env within cloud functions

process.env