Firebase Cloud Functions Continuous Deploying with Cloud Build

Andrés Mijares
6 min readMay 7, 2019


Originally posted on

Well, at this point I’m a fan of this, migrating all our platform from AWS to gcloud it’s been a great experience (pun intended), this time I want to show you how easy is to deploy your firebase projects with Cloud Build, direct to the point.


  • I made this approach to work with several projects and services.
  • You will need to change to the Blaze plan and activate billing (this is important if you are using firebase in production and you want to keep track of your cost).
  • I will assume you have several projects, for the sake of the example, I will use only two production and staging.

The Setup

Let’s say you have a master account, based on this account you two firebase projects:

  • my-company-dev
  • my-company-prod

In this case, you will give unlimited access to developers to work on my-company-dev but the access to my-company-prod is limited, this is key cause we are going to set all this project on this account. The whole project looks like this:

CI build

Important things to notice here:

  • All secrets are going to be handled via the production account.
  • Commits to the master and staging branch in github will trigger the process. How to should manage your PRs is out of the scope of this post.

The process

Using your operations account you should create both of your projects on the firebase console.

After you create your project following the instructions set here, your files should look like this:

project tree

I only picked cloud functions but it can be extended to hosting, storage, rules, etc. Let’s do a couple of things here before move on, first open the .firebaserc file and make sure it looks like this:


You can use whatever naming convention (duh) you want to.

Also, add a .env file in the root of the project and lastly, make sure you add .env to your .gitignore file.

We will come back here later, let’s move to the google console.

Installing the gcloud SDK

Before moving any further, you need to install the gcloud sdk, you can do it using this link. Make sure you download the right installation for your system and more important login using your master account.

gcloud init

Configuring Cloud Build

Go into the gcloud console and using the top search bar type Cloud Build and enable the API:

Click Triggers and after enabling it, you will get something like this:

Make sure you select your github project and set the following configuration:

This will be our trigger to the staging.


  • Check Cloud Build configuration file
  • Add one Item (or more if you have environment variables) and set a substitution _PROJECT_NAME, important to start with _.

Save it and create another similar trigger but this time the Branch will be production and _PROJECT_NAME will be my-company-prod, make sure you select Cloud Build configuration file.

Upload the Firebase Builder

By default, the firebase tool is not available on the npm image, we could install it but I’ve found out that is way easier going to this process instead.

You will need to clone the repo from the cloud builder community.

git clone
cd cloud-builders-community/firebase
gcloud builds submit --config cloudbuild.yaml .

After the process is completed, you can delete the repo from your computer.

Note: If you are managing multiple projects into your gcloud account sdk, you should set the my-company-prod first

gcloud config set project my-company-prod


We are almost there! let’s go back to your project IDE.

We need to generate the firebase ci token, on your terminal using the firebase tool type:

firebase use production // our whatever you main project is
firebase login:ci

This will generate a token, copy and paste it into your .env (remember this file should be added to your .gitignore file).

Now we need to do a couple of stuff:

  • Encrypt it using the Cryptographic Keys services.
  • Encode 64 it.
  • Add it to the clodbuild.yml file.

Note: I like to keep this token encrypted but maybe this is not your case, if so, you can just copy and paste it as it is on the Cloud Build items where I mentioned you can set your environment variables and ignore this part.

Let’s go by parts…

Cryptographic Keys

Find Cryptographic Keys on the top search bar and enable the service.

  • Create a ring name ci-ring
  • Then create a key called deployment

Alright! now let’s go to encrypt your secrets!

Encrypt Firebase token

Go back to your terminal and into your project folder type the following command:

gcloud kms encrypt --plaintext-file=.env --ciphertext-file=.env.enc --location=global --keyring=ci-ring --key=deployment

No answer will be returned but you will see that a filed called .env.enc was created.

Encode base64

If you are on mac you can type the following command:

openssl base64 -in .env.enc -out .env.enc.txt

Note: I’m not sure about equivalent on windows or linux :( but it shouldn’t be that hard to find ;-)

This will generate a filed called .env.enc.txt you will need it on the next step.

Create the cloud build configuration file

Finally! we just have a couple missing parts and we are done! promised!

Create a file called .cloudbuild.yml in the root of the project and paste the following:

Notice the kmsKeyName in our sample the value should be:


Adjust your according.

You can add more steps in case your fave for example unit test:

- name: ''
dir: 'functions'
args: ['run', 'test']

I’m running an install cause my build process uses typescript and I need the linter to run before.

You can use the same pattern to add more steps and also deploy other services, for example, your firestore security rules:

- name: '$PROJECT_ID/firebase'
args: ['deploy', '--only', 'firestore:rules']

Also, notice how the cloud build substitutions are available here as _PROJECT_NAME on the first step. Using this pattern you can assemble your own ci process. Just be aware we are using different images per steps,$PROJECT_ID/firebase which we installed in a previous step.

IAM Roles

Lastly Finally! we just need to give cloud build permissions to decrypt this secrets.

On your gcloud console top search bar type IAM and IAM & admin find our your list one Member which looks like and click on the edit button.

Add the role Cloud KMS CryptoKey Decrypter


Let’s test this, on your terminal type the following command:

gcloud builds submit . --config=cloudbuild.yaml --substitutions=_PROJECT_NAME=my-company-dev

Make sure you change my-company-dev for your real project name.

If everything went good you will see something like (beside the logs) on your cloud build console.

That’s all

Now commit your project to github and after you merge stuff into master or staging it would deploy your respective projects :)


I hope you like this! It took me several hours and frustration to find the right approach that works easy enough for me and my team. I hope you can get the most of it with all the pain.

If you like this project please considering sharing and follow us on twitter and why not? join our slack (we are still small)