Secret files | Convex Community | Page 1

drowsy plinth Mar 22, 2024, 1:28 PM

#

Hello,

I would like to send push notifications from some convex action. In order to achieve it, I need to install the firebase-admin SDK on my convex environment.
I setup an action in a NodeJS environment, but according to the firebase doc (https://firebase.google.com/docs/admin/setup#initialize_the_sdk_in_non-google_environments) I need to store a GOOGLE_APPLICATION_CREDENTIALS file in my server.
I saw in the Convex doc that we can set env variables, but I don't know if there is also a way to store secret files.

Thanks in advance!

Firebase

Add the Firebase Admin SDK to your server

The Admin SDK is a set of server libraries that lets you interact with Firebase from privileged environments.

shadow lodge Mar 22, 2024, 1:37 PM

#

I haven't used firebase in years so things may have changed, but I believe you can still just store the credentials directly in an environment variable using admin.credential.cert(). Couple approaches in the examples here: https://firebase.google.com/docs/reference/admin/node/firebase-admin.credential_n.md#credentialcert

Firebase

credential namespace | Firebase Admin SDK

onyx grotto Mar 22, 2024, 4:15 PM

#

drowsy plinth Hello, I would like to send push notifications from some convex action. In orde...

It's appropriate/secure to store secrets in your convex backend environment

shadow lodge Mar 22, 2024, 4:20 PM

#

Google's documented approach makes it seem like you can only store this secret as a json file, have to dig to learn how to use env vars alone

onyx grotto Mar 22, 2024, 4:21 PM

#

gotcha

drowsy plinth Mar 22, 2024, 8:35 PM

#

Oh I didn't see this documentation. Indeed no issues since it can work with env variables. Thanks again !

queen flint Jun 12, 2024, 2:51 PM

#

I have a slightly more complex use case where I need to potentially store service accounts or other sensitive auth tokens of users to interface with their DB. One option I was considering was Google Secret Manager, but I was also thinking that Convex might work well too. Is it out of the question to store credentials inside tables or what's the recommended approach @onyx grotto ?

queen flint Jun 13, 2024, 8:57 AM

#

tagging @raw plank

pulsar wigeon Jun 13, 2024, 3:30 PM

#

Storing secrets in a table is very reasonable @queen flint; the goals of using environment variables are to keep the secret out of your git repo, to control access to it separately, and to be able to use different values in dev vs prod if you want that.

These are all accomplished by storing secrets in a Convex table if the only people with access to that deployment are people you'd trust with this secret (your teammates).

#

Since you need a dynamic number of secrets (n per user it sounds like?) a table is the right place unless you have legal or TOS reasons you don't want to store these, e.g. there are rules about how to store credit card numbers that make it often less work to use Stripe and never let the credit card numbers hit your database.

queen flint Jun 13, 2024, 6:13 PM

#

Thanks so much for all the input here @pulsar wigeon !

#Secret files