Why isn't my Firebase app connecting to Google Secret Manager?

About

Asked 17/5, 2020 at 20:42 Answered 17/5, 2020 at 20:42

google-iam google-cloud-iam google-secret-manager

I can't figure out why I keep getting the error: Error: Could not load the default credentials. Browse to https://cloud.google.com/docs/authentication/getting-started for more information.

firebase login from my command line returns that I am already logged in and I have configured [email protected] to be a Secret Manager Secret Accessor in the GCP IAM admin dashboard within the same project.

Here's the code I'm using:

const { SecretManagerServiceClient } = require("@google-cloud/secret-manager");
const client = new SecretManagerServiceClient();

const gcpSecretsLoader = async (secretName: string) => {
  try {
    const secret = await client.accessSecretVersion({
      name: `projects/my-app/secrets/${secretName}/versions/latest`,
    });
    const payload = secret.payload.data.toString("utf8");
    console.info(`Payload: ${payload}`);
  } catch (err) {
    console.log(err);
  }
};

gcpSecretsLoader("CLIENT_ID"); // CLIENT_ID matched a secret name within the secret manager

Leading answered 17/5, 2020 at 20:42 Comment(10)

Where are you running this code? On your local laptop or on firebase? – Horntail 17/5, 2020 at 21:20

If you are running this code locally, how are you specifying that your code should use the specified service account? Either set the environment variable GOOGLE_APPLICATION_CREDENTIALS to point to the service account JSON key file or specify the service account JSON key file when creating the Secret Manager client SecretManagerServiceClient(). Review options.keyFilename in github.com/googleapis/nodejs-secret-manager/blob/master/src/v1/… – Brittenybrittingham 17/5, 2020 at 22:7

@Horntail I am running locally. I'm connecting to firebase via the cli. – Leading 17/5, 2020 at 22:22

@JohnHanley thanks for the advice. I connected the keyFileName as an option as you suggested but I now get an error details: "Permission 'secretmanager.versions.access' denied for resource... I checked and the string I passed in matches the exact name of the secret (in my code above this is "CLIENT_ID". – Leading 17/5, 2020 at 22:53

The service account does not have permission to access the secret. – Brittenybrittingham 17/5, 2020 at 22:57

@JohnHanley ahh sorry for the naive question, and thanks for the patient response :) I enabled it properly and it all works now, thank you, happy to accept your answer if you'd like to post it! Last question a bit outside the scope, but now I fear that the sensitive contents of the service account json key file are in my local code, is there an industry standard on how to handle this other than gitignoring it? – Leading 17/5, 2020 at 23:39

Have you installed the Cloud SDK or followed the local setup instructions at: cloud.google.com/secret-manager/docs/reference/… – Horntail 17/5, 2020 at 23:40

You should not download a service account credential locally. Instead, download the SDK and then run gcloud auth application-default login. – Horntail 17/5, 2020 at 23:41

@Leading Where will you be deploying this code? You should not have the service account file stored anywhere near your source code. After deploying in the cloud, use the default service account for the service to provide credentials. – Brittenybrittingham 17/5, 2020 at 23:58

@Horntail and @JohnHanley thanks for sticking with this one, I'm sensing I'm getting in over my head and may not be using the right solution. I'm using Firebase Functions to deploy the code, and figured it might be better to centralize my secrets in Secret Manager rather than firebase functions:config:set; however, considering my inexperience outside the realm of Firebase perhaps it's smarter for me just to stick with firebase functions:config:set. – Leading 18/5, 2020 at 0:8

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags