Skip to content

Firebase Admin SDK Private Key

Service Name: Firebase

Service Description: Firebase is a platform developed by Google for creating mobile and web applications. It provides tools and infrastructure designed to help developers build high-quality apps, grow their user base, and earn money. The Firebase Admin SDK enables access to Firebase services from privileged environments.

Service Address: https://firebase.google.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the Google Cloud project level using VPC Service Controls and firewall rules.

Secret Access Scope: Grants administrative access to Firebase services including Authentication, Realtime Database, Cloud Firestore, Cloud Storage, and other Firebase services associated with the project.

Secret Revokement URL: https://console.firebase.google.com/project/_/settings/serviceaccounts/adminsdk

Secret Example:

Suspicious Activity Investigation Instructions:

  • Review Google Cloud Platform audit logs for unusual activities related to the service account
  • Check Firebase Authentication logs for unexpected user creation or modification
  • Monitor Firestore/Realtime Database for unauthorized data access or modifications
  • Examine Cloud Storage for unexpected file uploads, downloads, or deletions
  • Review Firebase Functions logs for unexpected invocations or deployments
  • Check for unexpected changes to Firebase project settings or configurations

Mitigation Instructions:

  • Immediately rotate the compromised service account key by navigating to the Firebase console
  • Go to Project Settings > Service accounts > Firebase Admin SDK
  • Click "Generate new private key" to create a new key { "type": "service_account", "project_id": "example-project-12345", "private_key_id": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0", "private_key": "-----BEGIN PRIVATE KEY----- \nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC7VJTUt9Us8cKj\nMzE fYyjiWA4R4/M2bS1GB4t7NXp98C3SC6dVMvDuictGeurT8jNbvJZHtCSuYEvu\nNMoSfm76 oqFvAp8Gy0iz5sxjZmSnXyCdPEovGhLa0VzMaQ8s+CLOyS56YyCFGeJZ\n-----END PRIVATE KEY-----\n", "client_email": "firebase-adminsdk-abc123@example-project- 12345.iam.gserviceaccount.com", "client_id": "123456789012345678901", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/firebase-adminsdk- abc123%40example-project-12345.iam.gserviceaccount.com" }
  • Update all applications using the old key with the new key
  • Delete the compromised key from the Firebase console
  • Review IAM permissions for the service account and restrict to only necessary permissions
  • Consider implementing shorter key rotation periods
  • Enable audit logging for the Google Cloud project
  • Consider implementing VPC Service Controls to restrict API access