Firebase Admin SDK Private Key
Service Name: Firebase
Service Description: Firebase is a platform developed by Google for creating mobile and web applications. It provides tools and infrastructure designed to help developers build high-quality apps, grow their user base, and earn money. The Firebase Admin SDK enables access to Firebase services from privileged environments.
Service Address: https://firebase.google.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the Google Cloud project level using VPC Service Controls and firewall rules.
Secret Access Scope: Grants administrative access to Firebase services including Authentication, Realtime Database, Cloud Firestore, Cloud Storage, and other Firebase services associated with the project.
Secret Revokement URL: https://console.firebase.google.com/project/_/settings/serviceaccounts/adminsdk
Secret Example:
Suspicious Activity Investigation Instructions:
- Review Google Cloud Platform audit logs for unusual activities related to the service account
- Check Firebase Authentication logs for unexpected user creation or modification
- Monitor Firestore/Realtime Database for unauthorized data access or modifications
- Examine Cloud Storage for unexpected file uploads, downloads, or deletions
- Review Firebase Functions logs for unexpected invocations or deployments
- Check for unexpected changes to Firebase project settings or configurations
Mitigation Instructions:
- Immediately rotate the compromised service account key by navigating to the Firebase console
- Go to Project Settings > Service accounts > Firebase Admin SDK
- Click "Generate new private key" to create a new key
{ "type": "service_account", "project_id": "example-project-12345", "private_key_id": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0", "private_key": "-----BEGIN PRIVATE KEY----- \nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC7VJTUt9Us8cKj\nMzE fYyjiWA4R4/M2bS1GB4t7NXp98C3SC6dVMvDuictGeurT8jNbvJZHtCSuYEvu\nNMoSfm76 oqFvAp8Gy0iz5sxjZmSnXyCdPEovGhLa0VzMaQ8s+CLOyS56YyCFGeJZ\n-----END PRIVATE KEY-----\n", "client_email": "firebase-adminsdk-abc123@example-project- 12345.iam.gserviceaccount.com", "client_id": "123456789012345678901", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/firebase-adminsdk- abc123%40example-project-12345.iam.gserviceaccount.com" } - Update all applications using the old key with the new key
- Delete the compromised key from the Firebase console
- Review IAM permissions for the service account and restrict to only necessary permissions
- Consider implementing shorter key rotation periods
- Enable audit logging for the Google Cloud project
- Consider implementing VPC Service Controls to restrict API access