Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Initializing with environment variables only? #2043

Unanswered
minyoon asked this question in Q&A
Discussion options

Hi. I am using firebase admin SDK to verify ID Token on my backend server.

Firebase App (not admin) suggests it is okay to expose API keys: https://firebase.google.com/docs/projects/api-keys#api-keys-for-firebase-are-different. I suppose keys for admin SDK need more careful handling.

The current Firebase Admin SDK instruction suggests using a JSON private key file: https://firebase.google.com/docs/admin/setup#initialize-sdk
I don't feel comfortable with committing such information in a repository for deployment

Is there an official instruction to initialize the admin app only with environment variable? Also, what are the critical/sensitive data from the private key file? Definitely private_key. But how about private_key_id or project_id?
You must be logged in to vote

Replies: 2 comments 5 replies

Comment options

ServiceAccount only consists of projectId, privateKey, clientEmail, so these are sufficient API keys: https://github.com/firebase/firebase-admin-node/blob/master/src/app/credential.ts#L18-L22

My code looks like:

import { initializeApp, ServiceAccount } from 'firebase-admin/app'
// see {@link https://stackoverflow.com/a/70281142}
const { privateKey } = JSON.parse(process.env.PRIVATE_KEY)
const serviceAccount: ServiceAccount = {
 privateKey,
 projectId: process.env.PROJECT_ID,
 clientEmail: process.env.CLIENT_EMAIL,
}
const firebaseAdminApp = initializeApp({
 credential: firebaseAdmin.credential.cert(serviceAccount)
})

--
JSON.parse() to handle FirebaseAppError: Failed to parse private key: Error: Invalid PEM formatted message.
You must be logged in to vote
2 replies
Comment options

Thank you!

This is the only way that I was able to resolve the issue; in my current configuration with Next.js / Vercel (and I suspect most cloud / non-monolith configurations) using a JSON file is a lot more difficult to secure and avoid committing to version control. Frustrating how archaic Google / Firebase's Node.js / Web documentation typically is.
Comment options

Thanks for posting this approach! After spending a lot of time troubleshooting, this finally solved the "Failed to parse private key: Error: Invalid PEM formatted message" error I was seeing.

In addition to the above, make sure that "BEGIN PRIVATE KEY"/"END PRIVATE KEY" actually contain spaces. Somehow I ended up with "-----BEGINPRIVATEKEY-----" and "-----ENDPRIVATEKEY-----" and only after adding spacing did the error get resolved.
Comment options

If your server is on Google environment (GCP), initialize the SDK without parameters and the SDK will use the underlying attached service account details from the environment.

const firebaseAdminApp = initializeApp();

On non-Google environments, you can set export GOOGLE_APPLICATION_CREDENTIALS="path-to/service-account-file.json" to use Application Default Credentials (ADC).

import { initializeApp, applicationDefault } from 'firebase-admin/app';
initializeApp({
 credential: applicationDefault(),
 projectId: '<FIREBASE_PROJECT_ID>',
});

Your sample code above is also fine if you want to load the private key from an environment variable. Always make sure to keep your service account credentials safe as service accounts give administrative access to your projects. Poorly managed service account keys can introduce security risks.
You must be logged in to vote
3 replies
Comment options

It seems much harder / less conventional (at least to me) to secure a JSON file in non-monolith environments without committing to version control than it is to use environment variables which are (again, in my experience) more industry standard with a lot of established best practices for security and deployment.

Would be nice to have any documentation or Firebase recommended approach at all on using an environment variable approach for non-GCP environments rather than a json file.
Comment options

Just want to thumbs up this—I'm really not sure how to securely store json credentials... I wish Firebase explained the recommended way for environment variables
Comment options

Firebase Admin SDKs now support Workload Identity Federation and Service Account impersonation, which you can use on non-GCP environments https://cloud.google.com/iam/docs/workload-identity-federation

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

AltStyle によって変換されたページ (->オリジナル) /