科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>Error deploying Firebase Functions with Github Actions : secretsXXXX:setIamPolicy 403, Permission 'secretmanager.secrets

    Error deploying Firebase Functions with Github Actions : secretsXXXX:setIamPolicy 403, Permission 'secretmanager.secrets

    programmeradmin1浏览0评论

    I have an issue deploying Firebase Functions using Github Actions after making 2 changes :

    • upgrading my functions from 1st Gen to 2nd Gen
    • switching to use Firebase Secrets instead of functions config

    The Github Action was deploying fine before that and hasn't changed, it is using : w9jds/firebase-action@master with the GCP_DEV_KEY being a valid service account key, with (I believe) the correct permissions.

          - name: Firebase deploy on staging environment
        if: github.ref == 'refs/heads/staging'
        uses: w9jds/firebase-action@master
        with:
          args: deploy --project myprojectid --only storage,firestore,functions --force
        env:
          GCP_SA_KEY: ${{ secrets.GCP_DEV_KEY }}

    Here are the logs of Github Actions :

    Run w9jds/firebase-action@master

Storing GCP_SA_KEY in /opt/gcp_key.json
Exporting GOOGLE_APPLICATION_CREDENTIALS=/opt/gcp_key.json

=== Deploying to 'myprojectid'...

i  deploying storage, firestore, functions
i  storage: ensuring required API firebasestorage.googleapis is enabled...
✔  storage: required API firebasestorage.googleapis is enabled
i  firebase.storage: checking storage.rules for compilation errors...
✔  firebase.storage: rules file storage.rules compiled successfully
i  firestore: reading indexes from firestore.indexes.json...
i  cloud.firestore: checking firestore.rules for compilation errors...
✔  cloud.firestore: rules file firestore.rules compiled successfully
i  functions: preparing codebase default for deployment
i  functions: ensuring required API cloudfunctions.googleapis is enabled...
i  functions: ensuring required API cloudbuild.googleapis is enabled...
i  artifactregistry: ensuring required API artifactregistry.googleapis is enabled...
✔  functions: required API cloudfunctions.googleapis is enabled
✔  functions: required API cloudbuild.googleapis is enabled
✔  artifactregistry: required API artifactregistry.googleapis is enabled
⚠  functions: package.json indicates an outdated version of firebase-functions. Please upgrade using npm install --save firebase-functions@latest in your functions directory.
i  functions: Loading and analyzing source code for codebase default to determine what to deploy
Serving at port 8871

i  extensions: ensuring required API firebaseextensions.googleapis is enabled...
✔  extensions: required API firebaseextensions.googleapis is enabled
i  functions: Loaded environment variables from .env, .env.myprojectid.
i  functions: preparing . directory for uploading...
i  functions: packaged /github/workspace (556.89 KB) for uploading
i  functions: packaged /github/workspace (558.97 KB) for uploading
i  functions: ensuring required API run.googleapis is enabled...
i  functions: ensuring required API eventarc.googleapis is enabled...
i  functions: ensuring required API pubsub.googleapis is enabled...
i  functions: ensuring required API storage.googleapis is enabled...
✔  functions: required API run.googleapis is enabled
✔  functions: required API pubsub.googleapis is enabled
✔  functions: required API eventarc.googleapis is enabled
✔  functions: required API storage.googleapis is enabled
i  functions: generating the service identity for pubsub.googleapis...
i  functions: generating the service identity for eventarc.googleapis...
i  functions: ensuring [email protected] access to secret EMAILING_API_KEY.
i  functions: ensuring [email protected] access to secret XXXXX_PASSWORD.
i  functions: ensuring [email protected] access to secret XXXXX_KEY.
i  functions: ensuring [email protected] access to secret XXXXX_SECRET.
i  functions: ensuring [email protected] access to secret XXXXX_API_KEY.
i  functions: ensuring [email protected] access to secret YYY_API_KEY.
i  functions: ensuring [email protected] access to secret XXXXX_API_SECRET_KEY.
i  functions: ensuring [email protected] access to secret XXXXX_OAUTH_CLIENT_SECRET.
i  functions: ensuring [email protected] access to secret YYY_OAUTH_CLIENT_SECRET.
i  functions: ensuring [email protected] access to secret ZZZZ_API_KEY.

Error: Request to :setIamPolicy had HTTP Error: 403, Permission 'secretmanager.secrets.setIamPolicy' denied for resource 'projects/myprojectid/secrets/EMAILING_API_KEY' (or it may not exist).

    From what I understand, the issue comes from a missing permission for the service account deploying, preventing it to set IAM policy to grant access to secrets for each of the functions ?

    I have double-checked that all of the secrets in use are indeed defined :

    I have tried adding the following roles to the principal used for running the deployment :

    • Secret Manager Admin
    • Project IAM Admin
    • Security Admin
    • (even tried adding Editor just in case)

    none of that changed anything, and I'm running out of ideas.

    What am I missing ? How to make this deployment work again ?

    Thanks in advance for the help :)

    继续浏览有关 的文章

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论