Secret files
Hello,
I would like to send push notifications from some convex action. In order to achieve it, I need to install the firebase-admin SDK on my convex environment.
I setup an action in a NodeJS environment, but according to the firebase doc (https://firebase.google.com/docs/admin/setup#initialize_the_sdk_in_non-google_environments) I need to store a GOOGLE_APPLICATION_CREDENTIALS file in my server.
I saw in the Convex doc that we can set env variables, but I don't know if there is also a way to store secret files.
Thanks in advance!
Firebase
Add the Firebase Admin SDK to your server
The Admin SDK is a set of server libraries that lets you interact with Firebase from privileged environments.
8 Replies
I haven't used firebase in years so things may have changed, but I believe you can still just store the credentials directly in an environment variable using
admin.credential.cert(). Couple approaches in the examples here: https://firebase.google.com/docs/reference/admin/node/firebase-admin.credential_n.md#credentialcertIt's appropriate/secure to store secrets in your convex backend environment
Google's documented approach makes it seem like you can only store this secret as a json file, have to dig to learn how to use env vars alone
gotcha
Oh I didn't see this documentation. Indeed no issues since it can work with env variables. Thanks again !
I have a slightly more complex use case where I need to potentially store service accounts or other sensitive auth tokens of users to interface with their DB. One option I was considering was Google Secret Manager, but I was also thinking that Convex might work well too. Is it out of the question to store credentials inside tables or what's the recommended approach @jamwt ?
tagging @epmatt
Storing secrets in a table is very reasonable @David Alonso; the goals of using environment variables are to keep the secret out of your git repo, to control access to it separately, and to be able to use different values in dev vs prod if you want that.
These are all accomplished by storing secrets in a Convex table if the only people with access to that deployment are people you'd trust with this secret (your teammates).
Since you need a dynamic number of secrets (n per user it sounds like?) a table is the right place unless you have legal or TOS reasons you don't want to store these, e.g. there are rules about how to store credit card numbers that make it often less work to use Stripe and never let the credit card numbers hit your database.
Thanks so much for all the input here @ballingt !
@ballingt convex env variables are only accessible inside convex functions right?