Firebase Cloud Functions Continuous Deploying with Cloud Build

Originally posted on

Well, at this point I’m a fan of this, migrating all our platform from AWS to gcloud it’s been a great experience (pun intended), this time I want to show you how easy is to deploy your firebase projects with Cloud Build, direct to the point.


  • You will need to change to the Blaze plan and activate billing (this is important if you are using firebase in production and you want to keep track of your cost).
  • I will assume you have several projects, for the sake of the example, I will use only two production and staging.

The Setup

  • my-company-dev
  • my-company-prod

In this case, you will give unlimited access to developers to work on my-company-dev but the access to my-company-prod is limited, this is key cause we are going to set all this project on this account. The whole project looks like this:

CI build

Important things to notice here:

  • All secrets are going to be handled via the production account.
  • Commits to the master and staging branch in github will trigger the process. How to should manage your PRs is out of the scope of this post.

The process

After you create your project following the instructions set here, your files should look like this:

project tree

I only picked cloud functions but it can be extended to hosting, storage, rules, etc. Let’s do a couple of things here before move on, first open the .firebaserc file and make sure it looks like this:


You can use whatever naming convention (duh) you want to.

Also, add a .env file in the root of the project and lastly, make sure you add .env to your .gitignore file.

We will come back here later, let’s move to the google console.

Installing the gcloud SDK

gcloud init

Configuring Cloud Build

Click Triggers and after enabling it, you will get something like this:

Make sure you select your github project and set the following configuration:

This will be our trigger to the staging.


  • Check Cloud Build configuration file
  • Add one Item (or more if you have environment variables) and set a substitution _PROJECT_NAME, important to start with _.

Save it and create another similar trigger but this time the Branch will be production and _PROJECT_NAME will be my-company-prod, make sure you select Cloud Build configuration file.

Upload the Firebase Builder

You will need to clone the repo from the cloud builder community.

git clone
cd cloud-builders-community/firebase
gcloud builds submit --config cloudbuild.yaml .

After the process is completed, you can delete the repo from your computer.

Note: If you are managing multiple projects into your gcloud account sdk, you should set the my-company-prod first

gcloud config set project my-company-prod


We need to generate the firebase ci token, on your terminal using the firebase tool type:

firebase use production // our whatever you main project is
firebase login:ci

This will generate a token, copy and paste it into your .env (remember this file should be added to your .gitignore file).

Now we need to do a couple of stuff:

  • Encrypt it using the Cryptographic Keys services.
  • Encode 64 it.
  • Add it to the clodbuild.yml file.

Note: I like to keep this token encrypted but maybe this is not your case, if so, you can just copy and paste it as it is on the Cloud Build items where I mentioned you can set your environment variables and ignore this part.

Let’s go by parts…

Cryptographic Keys

  • Create a ring name ci-ring
  • Then create a key called deployment

Alright! now let’s go to encrypt your secrets!

Encrypt Firebase token

gcloud kms encrypt --plaintext-file=.env --ciphertext-file=.env.enc --location=global --keyring=ci-ring --key=deployment

No answer will be returned but you will see that a filed called .env.enc was created.

Encode base64

openssl base64 -in .env.enc -out .env.enc.txt

Note: I’m not sure about equivalent on windows or linux :( but it shouldn’t be that hard to find ;-)

This will generate a filed called .env.enc.txt you will need it on the next step.

Create the cloud build configuration file

Create a file called .cloudbuild.yml in the root of the project and paste the following:

Notice the kmsKeyName in our sample the value should be:


Adjust your according.

You can add more steps in case your fave for example unit test:

- name: ''
dir: 'functions'
args: ['run', 'test']

I’m running an install cause my build process uses typescript and I need the linter to run before.

You can use the same pattern to add more steps and also deploy other services, for example, your firestore security rules:

- name: '$PROJECT_ID/firebase'
args: ['deploy', '--only', 'firestore:rules']

Also, notice how the cloud build substitutions are available here as _PROJECT_NAME on the first step. Using this pattern you can assemble your own ci process. Just be aware we are using different images per steps,$PROJECT_ID/firebase which we installed in a previous step.

IAM Roles

On your gcloud console top search bar type IAM and IAM & admin find our your list one Member which looks like and click on the edit button.

Add the role Cloud KMS CryptoKey Decrypter


gcloud builds submit . --config=cloudbuild.yaml --substitutions=_PROJECT_NAME=my-company-dev

Make sure you change my-company-dev for your real project name.

If everything went good you will see something like (beside the logs) on your cloud build console.

That’s all


If you like this project please considering sharing and follow us on twitter and why not? join our slack (we are still small)

I do serverless stuff 🤷🏻‍♂️

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store