Deploying a service account key on Cloud Functions

Skip to first unread message

Michele Volpato

Dec 7, 2020, 11:36:32 AM12/7/20
to Firebase Google Group
Hi all,

I am reading this security document and checking that my project checks all the point in the checklist.

In Cloud Functions safety it is explained that 
  • If you're calling Google and Google Cloud APIs that require service account credentials, the Google Auth library for Node.js can get these credentials from the application default credentials, which are automatically populated in Cloud Functions.
I need to access Google Drive API from my Cloud Functions, and for this reason I deploy the key of a service account (the json file) that has access to Google Drive API, and I refer to it in the code.

According to the point above, I should not do it. Is that correct?
The solution would be either
  • Add Google Drive API permission to the application default service account, or
  • Use Google Secret Manager.
Is this correct, or am I missing something?


Have a good week,

Sam Stern

Dec 7, 2020, 1:14:49 PM12/7/20
to Firebase Google Group
Hi Michele,

Yes that is correct, you should either add the permission you need to the default service account or use Secret Manager.

- Sam

You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit
Reply all
Reply to author
0 new messages