Firebase Functions

Learn how to integrate Doppler with Firebase Cloud Functions to sync secrets to production and during local development.

13281328

In this guide, you'll learn how to integrate Doppler into a Firebase Cloud Functions application so you'll never have to maintain an .env file again.

πŸ“˜

Check out our Firebase sample repository to see a complete working solution.

Prerequisites

Secrets

Doppler syncs secrets to Firebase environment variables which are accessed from the doppler property returned by the functions.config() method:

const functions = require('firebase-functions');
const secrets = functions.config().doppler;

const API_KEY = secrets.API_KEY;

The following sections will now show you how to configure local development and CI/CD.

Local Development

Secrets are injected during local development using the CLOUD_RUNTIME_CONFIG environment variable populated by the Doppler CLI. This removes the need for .env and .runtimeconfig.json files altogether.

Configure the Doppler CLI to fetch secrets for the Development config by opening a terminal in the functions directory and running:

doppler setup

You can verify the secrets fetched by the CLI at any time by running:

doppler secrets

Now update the serve and shell scripts (or similar) in the package.json:

{
  "scripts": {
    "serve": "CLOUD_RUNTIME_CONFIG=\"$(doppler secrets download --no-file | jq '{doppler: .}')\" firebase emulators:start --only functions",
    "shell": "CLOUD_RUNTIME_CONFIG=\"$(doppler secrets download --no-file | jq '{doppler: .}')\" firebase functions:shell",
  }
}

Then test the functions emulator by running:

npm run serve

You and your teammates will never have out-of-date secrets again plus you don't have to worry about leaking credentials in unprotected .env or .runtimeconfig.json files.

CI/CD

Deploying to production in CI/CD is a two-step process:

  1. Update the function environment variables
  2. Update the function code

Add a new secrets-sync script to the package.json and update the existing deploy script to use it:

{
  "scripts": {
    ...
    "secrets-sync": "firebase functions:config:unset doppler && firebase functions:config:set doppler=\"$(doppler secrets download --no-file)\"",
    "deploy": "npm run secrets-sync && firebase deploy --only functions",
  }
}

Your CI/CD environment will need a Doppler Service Token injected via a DOPPLER_TOKEN environment variable to provide read-only access to the Production config.

A Firebase deploy GitHub Action would then look something like this:

name: deploy

on:
  push:
    branches:
      - main

jobs:
  deploy:
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ./functions
    steps:
      - uses: actions/[email protected]
      - uses: actions/[email protected]
      - uses: dopplerhq/[email protected]
        with:
          node-version: '16'
      - run: curl -sL https://firebase.tools | bash
      - run: npm install
      - run: npm run deploy
        env:
          DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }}
          FIREBASE_TOKEN: ${{ secrets.FIREBASE_TOKEN }}

πŸ‘

Amazing Work!

Now you know how to use Doppler to manage and sync secrets for Firebase Cloud Functions in local development and production.


Did this page help you?