是否可以检索 Firebase Cloud Function 源代码？

Question

I'm writing some Firebase Cloud Functions but I have need to hide a private key, including from Firebase project admins.

If I embedded this key into my source code and uploaded the code myself, would it be possible for anyone to retrieve the source code and thus the key? Either via Firebase or Google?

Many thanks

Answer 1

The code for your Cloud Functions is never accessible to users of your app.

It is however accessible for the collaborators on your Firebase project. See Get code from firebase console which I deployed earlier

I don't think there's any way to hide such configuration values from collaborators. Since they can see/deploy code, and the code needs access to this private key, they by definition have access to the key too.

Answer 2

Maybe setting an environmental variable:

Oficial Doc

Answer 3

Answering precisely to your question: Yes, they can .

The step by step to achieve that is relatively simple

1. Go into the GCP Functions page
2. Select the function you want to inspect
3. Click on source (From there you should be able to see all the files and the code used by that function), or;
4. Click on variables (From there you should see all environment variables used by your function)

If that approach seems like problematic to you, here's a way to make things more secure :

You can build on what you already and start encrypting those keys before adding them to the codebase or the environment variables. After that, you can use an encryption service such as KMS to decrypt those keys at runtime. In KMS itself you can have a stricter policy in there, only allowing yourself and the function to access that service.