Can anyone verify if you need a service account key for Firebase functions?

Question

In this video produced by Googles Firebase team it doesn't appear that you need a service account key https://www.youtube.com/watch?v=2u6Zb36OQjM

Does anyone have functions working without it?

I understand it could work like this:

import * as v1 from "firebase-functions/v1";
import admin from "firebase-admin";
admin.initializeApp();
const db = admin.firestore();

export const createuserdocument = v1.auth.user().onCreate((user) => {
  const result = db.collection("users")
    .doc(user.uid)
    .set(JSON.parse(JSON.stringify(user)));
    console.log(result);
    return result
});

Someone said this worked for them but it doesn't seem to work form me. Passing the ID of the project

import * as v1 from "firebase-functions/v1";

import admin from "firebase-admin";
admin.initializeApp({projectId: 'project-id'});
const db = admin.firestore();

export const createuserdocument = v1.auth.user().onCreate((user) => {
  const result = db.collection("users")
    .doc(user.uid)
    .set(JSON.parse(JSON.stringify(user)));
    console.log(result);
    return result
});

These are examples of creating a user within Firestore upon account creation.

I don't know if exposing the service account key is a security risk or the only legitmate way of making Firebase functions work.

Answer 1

When you call admin.initializeApp() with no arguments, it will attempt to use the runtime environment to find any credentials. When running in Cloud Functions, it will use the default service account credentials for the project where it was deployed.

From the documentation for the Firebase Admin SDK:

Because default credentials lookup is fully automated in Google environments, with no need to supply environment variables or other configuration, this way of initializing the SDK is strongly recommended for applications running in Google environments such as Cloud Run, App Engine, and Cloud Functions.