'Permission denied to google cloud secret on firebase function deploy

I have a firebase project with a google cloud function like this:

export const myFun = functions.region("europe-west1")
    .runWith({ timeoutSeconds: 10, secrets: ['MY_SECRET'] })
    .https.onCall((data, context) => {/*doStuff()*/});

The function uses MY_SECRET to access a db. Everything works perfectly fine when I build and deploy this function from my local machine to google cloud. I can access it and i get the results from the db, all good.

However, I setup a github action to deploy this function to the cloud for me. For this i setup a service account as a github secret so I can run npx firebase-tools deploy inside the github action. This always worked, UNTIL I added the secrets: ['MY_SECRET'] to the cloud function.

Locally I can still sucessfully deploy, but the github action fails:

Error: Failed to validate secret versions:
- FirebaseError HTTP Error: 403, Permission 'secretmanager.versions.get' denied for resource 'projects/my-project/secrets/MY_SECRET/versions/latest' (or it may not exist).

I made sure the secret actually exists in the correct google cloud project, and the service account I use in github DOES have the role Secret Manager Secret Accessor , but I still get the error.

One thing I noticed though is that when I go to the secret manager in the browser and click on my secret, I see:

Resource ID projects/123456789/secrets/MY_SECRET

and the error says projects/my-project/secrets/MY_SECRET/versions/latest

So in the build step, the project name is used, and in the secret manager i see the project id. Not sure if this is relevant, just something i noticed...

Why does this not work? I tried for hours and am getting desperate, pls help 😅

firebasegoogle-cloud-platformgoogle-cloud-functionsgoogle-secret-manager


Solution 1:[1]

...Ok, found the solution after wasting wayyy to much time...

Turns out the Secret Manager Secret Accessor role is not enough, the Secret Manager Viewer role is also needed! ????????????

Solution 2:[2]

Secret Accessor is the correct role, it needs to be given to the functions Runtime Service Account. See this answer: Can't access secret stored in Secrets Manager from Google Cloud Function

Runtime service accounts: https://cloud.google.com/functions/docs/concepts/iam#runtime_service_accounts

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Patric
Solution 2 Shawn

Related Questions

How to use use Firestore document field's HashMap key value and populate recyclerview?

how to keep GKE cluster nodes in different regions?

Google Cloud TTS API for M1 Mac

Is it possible to render a video from AfterEffects in a Google Collaboratory notebook?

Allow-IAP Firewall Rule created in default VPC in GCP getting reflected in other VPC as well

Attribute Error when importing SpeechClient from google.cloud.speech

GCP Cost billing data

What is the difference between gcloud and gsutil?

Volume not persistent in Google Cloud

Permission Denied when trying to write on a TPU VM foler

Google Cloud Free Tier will start charging for static or ephemeral IP Address?

How to create a empty folder in google storage(bucket) using gsutil command?

How can size of the root disk in Google Compute Engine be increased?

Cannot switch Firestore from Datastore to native mode on GCP

action console simulator is not working and I cannot release my project