I have a Nodejs server with Firebase Admin. I am now confused as to how to have the Credentials ready in my github or anywhere when I want to host my server. In the Firebase docs they explicitly recommend using export GOOGLE_APPLICATION_CREDENTIALS="/home/user/Downloads/service-account-file.json" which doesn't make any sense in production environment as you cannot commit this file to github and you cannot deploy it as is (especially if you use github to build your image and deploy that). So what is the common practice in this case? How do I get my credentials when deploying the server?
Asked
Active
Viewed 859 times
1
Nikola-Milovic
- 1,393
- 1
- 12
- 35
-
hey never push your credentials file in github, use this library instead: https://www.npmjs.com/package/google-credentials-helper let me know if it was helpful – Inzamam Malik Mar 06 '22 at 20:04
2 Answers
2
I usually use environment variables with values I pulled from the service account file:
FIREBASE_ADMIN_PRIVATE_KEY_ID='b819266b01e17ec23a63564d8c602d0fd729ecdf'
FIREBASE_ADMIN_PRIVATE_KEY='-----BEGIN PRIVATE KEY-----xxx'
FIREBASE_ADMIN_CLIENT_EMAIL='xxx@xxx.iam.gserviceaccount.com'
FIREBASE_ADMIN_CLIENT_ID='xxx'
FIREBASE_ADMIN_AUTH_PROVIDER_X509_CERT_URL='https://www.googleapis.com/oauth2/v1/certs'
FIREBASE_ADMIN_CLIENT_X509_CERT_URL='https://www.googleapis.com/robot/v1/metadata/x509/xxx.iam.gserviceaccount.com'
The rest is included in the client-side config so it's safe to check into source control:
const serviceAccount = {
'type': 'service_account',
'project_id': 'your-project-id',
'private_key_id': process.env.FIREBASE_ADMIN_PRIVATE_KEY_ID,
// See: https://stackoverflow.com/a/50376092/3403247.
'private_key': (process.env.FIREBASE_ADMIN_PRIVATE_KEY as string).replace(/\\n/g, '\n'),
'client_email': process.env.FIREBASE_ADMIN_CLIENT_EMAIL,
'client_id': process.env.FIREBASE_ADMIN_CLIENT_ID,
'auth_uri': 'https://accounts.google.com/o/oauth2/auth',
'token_uri': 'https://oauth2.googleapis.com/token',
'auth_provider_x509_cert_url': process.env.FIREBASE_ADMIN_AUTH_PROVIDER_X509_CERT_URL,
'client_x509_cert_url': process.env.FIREBASE_ADMIN_CLIENT_X509_CERT_URL,
} as ServiceAccount;
Then initialize the app:
import { initializeApp, cert } from 'firebase-admin/app';
app = initializeApp({ credential: cert(serviceAccount) });
sleighty
- 895
- 9
- 29
1
This will mainly depend on the tools you use to deploy and run your applications. If running on Kubernetes, you can use Secrets to mount the json file on your containers. Docker and Docker Swarm provide similar capabilities. Ideally, the json file should never be permanently packaged into images. They should almost always be securely mounted/wired at runtime.
Hiranya Jayathilaka
- 7,180
- 1
- 23
- 34
-
I am using Heroku atm, will try and see if there is a similar solution, thanks! – Nikola-Milovic Oct 20 '21 at 06:27