Google Cloud Function : support for Google Cloud KMS

The other solution to this which came out only in the last few months, is to use Google Cloud Runtime Configuration with Firebase for Functions:

Firebase for Functions seems to provide access to several features that are not yet available via other means.

Runtime Configurator does not charge for use, but enforces the following API limits and quotas:

  • 1200 Queries Per Minute (QPM) for delete, create, and update requests
  • 600 QPM for watch requests.
  • 6000 QPM for get and list requests.
  • 4MB of data per user, which consists of all data written to the Runtime Configurator service and accompanying metadata.

As an aside, I find this conflict in the Firebase for Functions comical:

The Firebase SDK for Cloud Functions offers built-in environment configuration to make it easy to store and retrieve this type of data for your project without having to redeploy your functions.

Then a moment later:

After running functions:config:set, you must redeploy functions to make the new configuration available.

The KMS solution is a viable alternative, however it seems costly for functions. KMS is billed at $0.06 per month per active key, as well as $0.03 per 10,000 operations.

This would then change the cost of your Cloud Function from $0.40 per million invocations, to $3.40 per million invocations. That is quite the jump.


As of December 2019, the preferred way to store and manage secrets on Google Cloud is Secret Manager:

$ echo -n "user:pass" | gcloud beta secrets create "my-basic-auth" \
  --data-file=- \
  --replication-policy "automatic"

You can also create and manage secrets from API:

// Import the library
const {SecretManagerServiceClient} = require('@google-cloud/secret-manager');

// Create the client
const client = new SecretManagerServiceClient();

// Create the secret
const [secret] = await client.createSecret({
  parent: "projects/<YOUR-PROJECT-ID>",
  secret: {
    replication: {
      automatic: {},

// Add the version with your data
const [version] = await client.addSecretVersion({
  payload: {
    data: Buffer.from("user:pass", "utf8"),

Then, in your Cloud Function:

const [version] = await client.accessSecretVersion({

const auth ='utf-8');

// auth is user:pass

The service account with which you deploy your Cloud Function will need roles/secretmanager.secretAccessor permissions.

Is it possible by using either the Runtime Configurator or the Deployment Manager to configure secrets for a Google Cloud Function?

There is no built-in service that will let you configure secrets to be directly accessed by Google Cloud Functions at this time, so the method you are currently using is the proper way to handle secrets on Cloud functions for the time being. This could change as the product is still in beta.

If you want you can make a feature request to the Cloud Function team by using the appropriate issue tracker.