I have a firebase project with a google cloud function like this:
export const myFun = functions.region("europe-west1")
.runWith({ timeoutSeconds: 10, secrets: ['MY_SECRET'] })
.https.onCall((data, context) => {/*doStuff()*/});
The function uses MY_SECRET to access a db. Everything works perfectly fine when I build and deploy this function from my local machine to google cloud. I can access it and i get the results from the db, all good.
However, I setup a github action to deploy this function to the cloud for me. For this i setup a service account as a github secret so I can run npx firebase-tools deploy inside the github action. This always worked, UNTIL I added the secrets: ['MY_SECRET'] to the cloud function.
Locally I can still sucessfully deploy, but the github action fails:
Error: Failed to validate secret versions:
- FirebaseError HTTP Error: 403, Permission 'secretmanager.versions.get' denied for resource 'projects/my-project/secrets/MY_SECRET/versions/latest' (or it may not exist).
I made sure the secret actually exists in the correct google cloud project, and the service account I use in github DOES have the role Secret Manager Secret Accessor , but I still get the error.
One thing I noticed though is that when I go to the secret manager in the browser and click on my secret, I see:
Resource ID projects/123456789/secrets/MY_SECRET
and the error says projects/my-project/secrets/MY_SECRET/versions/latest
So in the build step, the project name is used, and in the secret manager i see the project id. Not sure if this is relevant, just something i noticed...
Why does this not work? I tried for hours and am getting desperate, pls help 😅
...Ok, found the solution after wasting wayyy to much time...
Turns out the Secret Manager Secret Accessor role is not enough, the Secret Manager Viewer role is also needed! 🤦♂️🤦♂️🤦♂️