Initializing with environment variables only?

[minyoon]

Hi. I am using firebase admin SDK to verify ID Token on my backend server.

Firebase App (not admin) suggests it is okay to expose API keys: https://firebase.google.com/docs/projects/api-keys#api-keys-for-firebase-are-different. I suppose keys for admin SDK need more careful handling.

The current Firebase Admin SDK instruction suggests using a JSON private key file: https://firebase.google.com/docs/admin/setup#initialize-sdk
I don't feel comfortable with committing such information in a repository for deployment

Is there an official instruction to initialize the admin app only with environment variable? Also, what are the critical/sensitive data from the private key file? Definitely private_key. But how about private_key_id or project_id?

[minyoon]

ServiceAccount only consists of projectId, privateKey, clientEmail, so these are sufficient API keys: https://github.com/firebase/firebase-admin-node/blob/master/src/app/credential.ts#L18-L22

My code looks like:

import { initializeApp, ServiceAccount } from 'firebase-admin/app'

// see {@link https://stackoverflow.com/a/70281142}
const { privateKey } = JSON.parse(process.env.PRIVATE_KEY)

const serviceAccount: ServiceAccount = {
  privateKey,
  projectId: process.env.PROJECT_ID,
  clientEmail: process.env.CLIENT_EMAIL,
}

const firebaseAdminApp = initializeApp({
  credential: firebaseAdmin.credential.cert(serviceAccount)
})

--
JSON.parse() to handle FirebaseAppError: Failed to parse private key: Error: Invalid PEM formatted message.

[JS-GitRepo]

Thank you!

This is the only way that I was able to resolve the issue; in my current configuration with Next.js / Vercel (and I suspect most cloud / non-monolith configurations) using a JSON file is a lot more difficult to secure and avoid committing to version control. Frustrating how archaic Google / Firebase's Node.js / Web documentation typically is.

[rfinni]

Thanks for posting this approach! After spending a lot of time troubleshooting, this finally solved the "Failed to parse private key: Error: Invalid PEM formatted message" error I was seeing.

In addition to the above, make sure that "BEGIN PRIVATE KEY"/"END PRIVATE KEY" actually contain spaces. Somehow I ended up with "-----BEGINPRIVATEKEY-----" and "-----ENDPRIVATEKEY-----" and only after adding spacing did the error get resolved.

[lahirumaramba]

If your server is on Google environment (GCP), initialize the SDK without parameters and the SDK will use the underlying attached service account details from the environment.

const firebaseAdminApp = initializeApp();

On non-Google environments, you can set export GOOGLE_APPLICATION_CREDENTIALS="path-to/service-account-file.json" to use Application Default Credentials (ADC).

import { initializeApp, applicationDefault } from 'firebase-admin/app';

initializeApp({
  credential: applicationDefault(),
  projectId: '<FIREBASE_PROJECT_ID>',
});

Your sample code above is also fine if you want to load the private key from an environment variable. Always make sure to keep your service account credentials safe as service accounts give administrative access to your projects. Poorly managed service account keys can introduce security risks.

[JS-GitRepo]

It seems much harder / less conventional (at least to me) to secure a JSON file in non-monolith environments without committing to version control than it is to use environment variables which are (again, in my experience) more industry standard with a lot of established best practices for security and deployment.

Would be nice to have any documentation or Firebase recommended approach at all on using an environment variable approach for non-GCP environments rather than a json file.