Problem with permissions during deployment firebase cloud function v2

Question

During deployment of firebase cloud function v2 , I try to access secret environment variable which I declared in GCP UI.

I was granted a permission as secretmanager.version.access, in fact after running cli command: firebase deploy --only functions, I receive an error: Error: HTTP Error: 403, Permission 'secretmanager.secrets.setIamPolicy' denied for resource 'projects/{my-project}/secrets/{secret-name}' (or it may not exist).

Here is represented the code of function and how I am accessing a secret env variable:

import { initializeApp, getApps, getApp } from "firebase-admin/app";
import { getFirestore } from "firebase-admin/firestore";
import { onCall, HttpsError } from "firebase-functions/v2/https";
import jwt from "jsonwebtoken";

initializeApp();
const db = getFirestore();
const {sign,verify} = jwt;
export const inviteClientPerMail = onCall(
    {
      secrets: ["secret-name"],
      region: "europe-west3",
      cors: true,
      enforceAppCheck: false
    },
    async (request) => {

"""function logic"""
...
console.log("Secret is: ", process.env.`secret-name`);
...
"""function logic"""
}
...

Is it an issue that is related to firebase or cloud platform? or how does Firebase CLI should see the permission that I have set in GCP platform?

Answer 1

1. Go to GCP Console -> Secret Manager.
2. Click on the secret that should be accessible by the service account.
3. Open PERMISSION -> VIEW BY ROLES tab.
4. The Secret Manager Secret Accessor role should be given to the default Firebase account: [email protected]. The account can be found in the IAM section.

Granting service account access to multiple keys in a single run is also possible.