is it safe to store third party api keys in google cloud environment variables? Or Not?

0
votes

I'm not sure if I am misunderstanding something or if the firebase docs contradict themselves.

Here it seems to suggest to store api keys in in env variables: https://firebase.google.com/docs/functions/config-env For instance, to store the Client ID and API key for "Some Service", you might run: firebase functions:config:set someservice.key="THE API KEY" someservice.id="THE CLIENT ID"

But here it seems to say never to do it: https://firebase.google.com/support/guides/security-checklist#cloud_function_safety Cloud Function safety Never put sensitive information in a Cloud Function’s environment variables Often in a self-hosted Node.js app, you use environment variables to contain sensitive information like private keys. Do not do this in Cloud Functions.

1
firebasegoogle-cloud-functions
it is safe to store third party api keys in google cloud environment variables. - Kevin M. Mansour
but the firebase docs seem to be saying it isn't? firebase.google.com/support/guides/… - dgk112
I think two links are different (I think not sure) but I just found this "When you use API keys in your Google Cloud Platform (GCP) applications, take care to keep them secure. ... Instead of embedding your API keys in your applications, store them in environment variables or in files outside of your application's source tree." Copied from This Thread support.google.com/googleapi/answer/…. - Kevin M. Mansour
thanks for this. i think the links are different too, but it is difficult to be sure. I think will use the secret manager just in case. it seems intuitively safer than storing in plain text in the env variables. - dgk112
Happy to help it is your opinion :) - Kevin M. Mansour

1 Answers

1
votes

There isn't only one correct answer. Generally, storing a critical/confidential data in plain text is a bad idea. It's better to use dedicated service to store the secret like secret manager.

However, you can imagine these use case:

  • Your deployment is automatic and no human can access to your Cloud Functions parameters (and env vars) -> Your secret is kept secure even if in plain text in Cloud Functions env vars
  • Your secret is stored in secret manager, but all the team members (and more) have the secret manager accessor role, and everyone can browse and see the secret in plain text. -> Even if you use secret manager, your IAM roles policy breaks the security and the confidentiality of the secret, it's public for everyone!

Think the security globally. There are best practices, but if you focus only on one topic, you can create bigger breach just beside!