firebasegoogle-cloud-functionsgithub-actionsgoogle-iamsecrets

Error deploying Firebase Functions with Github Actions : secrets/XXXX:setIamPolicy 403, Permission 'secretmanager.secrets.setIamPolicy' denied

I have an issue deploying Firebase Functions using Github Actions after making 2 changes :

The Github Action was deploying fine before that and hasn't changed, it is using : w9jds/firebase-action@master with the GCP_DEV_KEY being a valid service account key, with (I believe) the correct permissions.

      - name: Firebase deploy on staging environment
        if: github.ref == 'refs/heads/staging'
        uses: w9jds/firebase-action@master
        with:
          args: deploy --project myprojectid --only storage,firestore,functions --force
        env:
          GCP_SA_KEY: ${{ secrets.GCP_DEV_KEY }}

Here are the logs of Github Actions :

Run w9jds/firebase-action@master

Storing GCP_SA_KEY in /opt/gcp_key.json
Exporting GOOGLE_APPLICATION_CREDENTIALS=/opt/gcp_key.json

=== Deploying to 'myprojectid'...

i  deploying storage, firestore, functions
i  storage: ensuring required API firebasestorage.googleapis.com is enabled...
✔  storage: required API firebasestorage.googleapis.com is enabled
i  firebase.storage: checking storage.rules for compilation errors...
✔  firebase.storage: rules file storage.rules compiled successfully
i  firestore: reading indexes from firestore.indexes.json...
i  cloud.firestore: checking firestore.rules for compilation errors...
✔  cloud.firestore: rules file firestore.rules compiled successfully
i  functions: preparing codebase default for deployment
i  functions: ensuring required API cloudfunctions.googleapis.com is enabled...
i  functions: ensuring required API cloudbuild.googleapis.com is enabled...
i  artifactregistry: ensuring required API artifactregistry.googleapis.com is enabled...
✔  functions: required API cloudfunctions.googleapis.com is enabled
✔  functions: required API cloudbuild.googleapis.com is enabled
✔  artifactregistry: required API artifactregistry.googleapis.com is enabled
⚠  functions: package.json indicates an outdated version of firebase-functions. Please upgrade using npm install --save firebase-functions@latest in your functions directory.
i  functions: Loading and analyzing source code for codebase default to determine what to deploy
Serving at port 8871

i  extensions: ensuring required API firebaseextensions.googleapis.com is enabled...
✔  extensions: required API firebaseextensions.googleapis.com is enabled
i  functions: Loaded environment variables from .env, .env.myprojectid.
i  functions: preparing . directory for uploading...
i  functions: packaged /github/workspace (556.89 KB) for uploading
i  functions: packaged /github/workspace (558.97 KB) for uploading
i  functions: ensuring required API run.googleapis.com is enabled...
i  functions: ensuring required API eventarc.googleapis.com is enabled...
i  functions: ensuring required API pubsub.googleapis.com is enabled...
i  functions: ensuring required API storage.googleapis.com is enabled...
✔  functions: required API run.googleapis.com is enabled
✔  functions: required API pubsub.googleapis.com is enabled
✔  functions: required API eventarc.googleapis.com is enabled
✔  functions: required API storage.googleapis.com is enabled
i  functions: generating the service identity for pubsub.googleapis.com...
i  functions: generating the service identity for eventarc.googleapis.com...
i  functions: ensuring XXXXXXXXXXX-compute@developer.gserviceaccount.com access to secret EMAILING_API_KEY.
i  functions: ensuring XXXXXXXXXXX-compute@developer.gserviceaccount.com access to secret XXXXX_PASSWORD.
i  functions: ensuring XXXXXXXXXXX-compute@developer.gserviceaccount.com access to secret XXXXX_KEY.
i  functions: ensuring XXXXXXXXXXX-compute@developer.gserviceaccount.com access to secret XXXXX_SECRET.
i  functions: ensuring XXXXXXXXXXX-compute@developer.gserviceaccount.com access to secret XXXXX_API_KEY.
i  functions: ensuring XXXXXXXXXXX-compute@developer.gserviceaccount.com access to secret YYY_API_KEY.
i  functions: ensuring XXXXXXXXXXX-compute@developer.gserviceaccount.com access to secret XXXXX_API_SECRET_KEY.
i  functions: ensuring XXXXXXXXXXX-compute@developer.gserviceaccount.com access to secret XXXXX_OAUTH_CLIENT_SECRET.
i  functions: ensuring XXXXXXXXXXX-compute@developer.gserviceaccount.com access to secret YYY_OAUTH_CLIENT_SECRET.
i  functions: ensuring XXXXXXXXXXX-compute@developer.gserviceaccount.com access to secret ZZZZ_API_KEY.

Error: Request to https://secretmanager.googleapis.com/v1/projects/myprojectid/secrets/EMAILING_API_KEY:setIamPolicy had HTTP Error: 403, Permission 'secretmanager.secrets.setIamPolicy' denied for resource 'projects/myprojectid/secrets/EMAILING_API_KEY' (or it may not exist).

From what I understand, the issue comes from a missing permission for the service account deploying, preventing it to set IAM policy to grant access to secrets for each of the functions ?

I have double-checked that all of the secrets in use are indeed defined :

Google Cloud secrets

I have tried adding the following roles to the principal used for running the deployment :

enter image description here

none of that changed anything, and I'm running out of ideas.

What am I missing ? How to make this deployment work again ?

Thanks in advance for the help :)

Solution

  • I did not manage to solve this particular issue directly, but found a way to get the Github Action deployment working :

    1. I build the functions project locally

    2. I deployed from my local machine (as a Google Cloud project owner, without a service account)

    3. This seemed to enable some Google Cloud APIs such as Secrets, EventArc, etc. necessary for cloud functions Gen 2 to work

    4. Most functions deployed fine, others (based on automated triggers) failed because EventArc wasn't fully enabled yet : I had to wait for a few minutes before redeploying these functions)

    5. After this first deployment, I ran again the Github Actions pipeline, and it worked fine, without any permissions error.

    I hope this may help someone else one day :)