I've given the service account for the functions the necessary permissions ('Secret Manager Secret Accessor') and when deployed, the firebase functions are able to access the secrets without any problems.
However, when using firebase serve or firebase emulators:start --only functions in local development, I'm getting the following error
Unhandled error Error: 7 PERMISSION_DENIED: Permission 'secretmanager.versions.access' denied for resource
I've found in the documentation that setting export GOOGLE_APPLICATION_CREDENTIALS=pathtoserviceaccount.json is needed to be entered in the terminal, though this did also not work for me.
I would be thankful for all pointers. Cheers.
I've found the answer myself:
When the functions are emulated locally, they do not get run by the App Engine default service account per default, this needs to be enabled as well.
So I had to follow this tutorial https://firebase.google.com/docs/functions/local-shell
The App Engine default service account needs a key which can be created in the Service Accounts settings in the Google Cloud, and then
I had to enter
export GOOGLE_APPLICATION_CREDENTIALS="path/to/key.json"
in the terminal. By running then firebase emulators:start they also got permission to access the Secret Manager.
So while I was on the right track, I was exporting the wrong Service Account key, and not the one that was allowed to run access the Secret Manager.
In order to access Secret Manager from your Firebase application running with local emulator you need to add role of:
"Secret Manager Secret Accessor" to YOUR account used to authenticate with Firebase
You can verify it by running: firebase login in local CLI.
If you're already logged in, it should respond with Already logged in as [email address].
This email address is the Principal account you need to add the role to.
As you've mentioned in your question the "firebase-adminsdk" service account permissions are used on the production deployment, but not on local, unless you specify it with: export GOOGLE_APPLICATION_CREDENTIALS="path/to/key.json"
"[...] you can override secrets values by setting up a .secret.local file. This makes it easy for you to test your functions locally, especially if you don't have access to the secret value."
https://firebase.google.com/docs/functions/config-env#secrets_and_credentials_in_the_emulator
Step by step:
make sure you have the latest version of firebase-tools installed, as this feature is relatively new.
Create a file named secret.local in the root of your firebase project (along side the .firebaserc and firebase.json
add your secrets to the file, formatted the same as way as a regular .env file. e.g.
MY_SECRET_1=foo
MY_SECRET_2=bar
run the emulator firebase emulators:start
within your firebase functions, access the secrets on the process object. e.g. process.env.MY_SECRET_1
note, as far as I can tell, the secrets are only available inside the block scope of a function handler. you can't access them in the root scope of your functions JS code (if somebody finds a way to do that, please comment here as I'd love to know too)
I had the same problem and tried the solution from pureth's answer to adding local overrides, but it didn't work. What did work for me was to create the .secret.local file in the functions directory, not in the project root.
My project structure is as follows:
/
|- .firebaserc
|- firebase.json
|- package.json
|- /* ... */
|- functions/
|- .secret.local
|- package.json
|- /* ... */
So the .secret.local file needs to be placed in the directory where your functions reside and not where the .firebaserc file is.
Also, please note that the file name starts with a dot.
Related
I need to set a secret in my functions config but I want to make sure, that this secret cannot be accessed by anyone, even if the person has access to the firebase project and thus the cli itself.
What I mean by that is, if I set the secret in my cli, I can then retrieve this secret firebase functions:config:get. There are people who might have access to the firebase cli of this project that should not be able to access this secret.
Is there a way to achieve this?
The functions configuration you're referring to is only saved on the local machine. It will not be checked into source control. Other developers who use the CLI in the same project, but on different machines, will not be able to see that configuration.
The configuration will be available in the deployed code, however. If each developer needs a fully isolated configuration at runtime, they should each have their own project to work with.
I want to use Firebase cloud functions but when I try to init exists project I get error.
This is the error "Error: HTTP Error: 403, The caller does not have permission"
I created project before and then I moved project folder. When I had tried deploy, it wasn't work. I don't remember which error I got. And then I tried init same project but I got this error.
I tried logout and login again but it wasn't work.
I deleted "firebase-tools" but it wasn't work too.
And after I tried on different computer and I got same error.
And also I have Firebase Admin permission.
The firebase init command initializes/enables the project to use Cloud Functions for Firebase. Owners or Editors should use this command. Owners/Editors have higher permissions which allows APIs to be enabled (e.g. allowing the project to create VMs, Cloud Functions, or create a NoSQL Database).
Therefore I think you should perform this operation with Owner/Editor role.
You need to have Owner or Editor IAM permission on the GCP project to use firebase init command.
The firebase init command initializes/enables the project to use Cloud Functions/Hosting for Firebase. Owners/Editors have higher permissions that allow APIs to be enabled etc.
it is a first-time task when you starting the development, and then init command can be avoided if you have set up your cloud functions code in VCS for multiple developers or you.
i.e, Usually after writing code, you will replicate the project to other developers, who will then also write code and use firebase use yourprojectid further.
I'm trying to run my Cloud Functions locally using the below guide
https://firebase.google.com/docs/functions/local-emulator
I'd like to be able to use the Admin SDK in my local functions. I've downloaded JSON admin keys at the Service Accounts Pane of the Google Cloud Console and it says to add it using
export GOOGLE_APPLICATION_CREDENTIALS="path/to/key.json"
I generated keys using
the PROJECTNAME#appspot.gserviceaccount.com that has
App Engine default service account credentials
NOT
firebase-adminsdk-CODE#PROJECTNAME.iam.gserviceaccount.com with firebase-adminsdk credentials
What I tried
I tried to save it down to a separate folder, and I provided the path as relative to root. And I executed this command in terminal while in my functions folder. It didn't give me any response. Just went to the next line in Terminal.
export GOOGLE_APPLICATION_CREDENTIALS="/Users/[user]/Documents/[PROJECT]/Service_Account/file_name.json"
Questions:
Did I download/use the right JSON credentials?
Is there a certain place I need to save that .json file? Or can it be anywhere n my system?
Does that path need to be from root? Or relative to my functions folder?
Where do I need to execute this command?
Should it provide some sort of response that it worked? How do we know if it does?
On deploying my app to Firebase, I am getting this message:
You're seeing this because you've successfully setup Firebase Hosting. Now it's time to go build something extraordinary!
I learnt from a previous post that I need to replace the default index.html with my custom index.html. How do I do that using the Firebase Console?
You cannot change hosted files in the Firebase Console.
Instead, you should change the index.html on your local copy where you initially ran the firebase deploy command. Once you're done with the changes, run firebase deploy again to push the updated version of your website to Firebase Hosting.
For small changes it is probably faster to run firebase serve. This spins up a local web server, so that you can test the changes. Once you're satisfied they work, publish them to Firebase Hosting with firebase deploy again.
Update: this is now possible through some custom scripting. See my answer here for details: Upload single file to firebase hosting via CLI or other without deleting existing ones?
Simply make the changes you want to and then type
npm run build
After this spin the server again using
firebase deploy
The changes you want will be updated.
You can also see the updated changes with the command
firebase serve
and then run firebase deploy when you're satisfied.
First of all Update all the coding and assets files in your local system then,
1) Go to the directory in the terminal by typing $ cd {add your directory}
2) Login on your terminal console by typing $ firebase login in the terminal
3) after login write $ firebase deploy
then, go to Hosting Section in your Firebase Console and delete the previously deployed files by deleting the previously added section in {Poject_Name} release history,
like this
enter image description here
Its a simple solution. This message is caused by the index.html file in your public folder being replaced with the index.html file provided by firebase.
All you have to do is navigate to the directory of your web app folder on your terminal and type in
$ rm .firebaserc
then
$ firebase init
after you've completed the firebase initialization, replace the new index.html file with the one inside the public folder and then type
$ firebase deploy
So I’m testing out the CLI today and firebase init with db/hosting selected, and choosing to create a new project, always says Error: Permission denied..
sudo firebase init didn’t help.
firebase-tools version 3.0.3 on OS X 10.11.5.
firebase init
You're about to initialize a Firebase project in this directory:
/Users/splaktar/Git/tmp
Before we get started, keep in mind:
* You are initializing in an existing Firebase project directory
? What Firebase CLI features do you want to setup for this folder? Database: Deploy Firebase Realtime Database Rules
=== Project Setup
First, let's associate this project directory with a Firebase project.
You can create multiple project aliases by running firebase use --add,
but for now we'll just set up a default project.
? What Firebase project do you want to associate as default? [don't setup a default project]
=== Database Setup
Firebase Realtime Database Rules allow you to define how your data should be
structured and when your data can be read from and written to.
? What file should be used for Database Rules? database.rules.json
Error: Permission denied.
I've tried the answers here but they did not help. Is this just a bug in the firebase-tools?
I have the same issue and this is how I fixed it.
run firebase init
Deselect ❯◯ Database: Deploy Firebase Realtime Database Rules
Go through other steps to setup the initial app, selecting the default for each should work just fine.
run firebase serve
Hope that helps.
Sometimes it could happen when .firebaserc file exists.
Remove .firebaserc file and reattempt firebase init.
I was with the same problem, but I was not accessing the right account.
After accessed the right account, I created a new project and run "firebase list" (before this not happened) and my new project was there.
This solved my problem.
You need to have Owner or Editor IAM permission on the GCP project to use firebase init command.
The firebase init command initializes/enables the project to use Cloud Functions/Hosting etc for Firebase. Owners/Editors have higher permissions that allow APIs to be enabled etc.
it is a first-time task when you starting the development, and then init command can be avoided if you have set up your cloud functions code in VCS for multiple developers or you.
i.e, Usually after writing code, you will replicate the project to other developers, who will then also write code and use firebase use yourprojectid further.