Google Secret Manager Permissions For Local Emulating of Functions

Question

I've given the service account for the functions the necessary permissions ('Secret Manager Secret Accessor') and when deployed, the firebase functions are able to access the secrets without any problems.

However, when using firebase serve or firebase emulators:start --only functions in local development, I'm getting the following error

Unhandled error Error: 7 PERMISSION_DENIED: Permission 'secretmanager.versions.access' denied for resource

I've found in the documentation that setting export GOOGLE_APPLICATION_CREDENTIALS=pathtoserviceaccount.json is needed to be entered in the terminal, though this did also not work for me.

I would be thankful for all pointers. Cheers.

Answer 1

I had the same problem and tried the solution from pureth's answer to adding local overrides, but it didn't work. What did work for me was to create the .secret.local file in the functions directory, not in the project root.

My project structure is as follows:

/
|- .firebaserc
|- firebase.json
|- package.json
|- /* ... */
|- functions/
   |- .secret.local
   |- package.json
   |- /* ... */

So the .secret.local file needs to be placed in the directory where your functions reside and not where the .firebaserc file is.

Also, please note that the file name starts with a dot.

Answer 2

"[...] you can override secrets values by setting up a .secret.local file. This makes it easy for you to test your functions locally, especially if you don't have access to the secret value."

https://firebase.google.com/docs/functions/config-env#secrets_and_credentials_in_the_emulator

Step by step:

1. make sure you have the latest version of firebase-tools installed, as this feature is relatively new.
2. Create a file named .secret.local in the root of your firebase project (along side the .firebaserc and firebase.json
3. add your secrets to the file, formatted the same as way as a regular .env file. e.g.

MY_SECRET_1=foo
MY_SECRET_2=bar

4. run the emulator firebase emulators:start
5. within your firebase functions, access the secrets on the process object. e.g. process.env.MY_SECRET_1

note, as far as I can tell, the secrets are only available inside the block scope of a function handler. you can't access them in the root scope of your functions JS code (if somebody finds a way to do that, please comment here as I'd love to know too)