Functions emulator should not requires authenticated secret manager calls if .secret.local is defined about firebase-tools HOT 6 OPEN

Hey @glorat, thanks for the detailed report and for sharing your observations. I’ve been trying to reproduce this issue, but so far I haven’t been able to replicate the behavior mentioned. Here’s my current setup for reproducing the issue:

functions/index.js

import * as functions from "firebase-functions/v1"

const FUNCTION_SECRETS = ["FIRST_SECRET"]

export const helloWorld1 = functions
   .runWith({ secrets: FUNCTION_SECRETS }).https.onRequest((request, response) => {
       response.send("Hello from Firebase!" + process.env.FIRST_SECRET);
   });

export const processUploadedFile = functions
   .runWith({ secrets: FUNCTION_SECRETS })
   .storage.object()
   .onFinalize(() => {
       functions.logger.debug(`The first secret is ${process.env.FIRST_SECRET}`)
   })

functions/.secret.local

FIRST_SECRET=local-secret-first

No errors were raised running firebase emulators:start --project demo-project as well as when invoking the functions.

Just to verify, are you using defineSecret in your codebase? I found a similar issue that could be related #5520, and I tried adding defineSecret to my codebase and I was able to get the same error message you shared:

functions: Failed to load function definition from source: FirebaseError: HTTP Error: 401, Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.

from firebase-tools.

Just to verify, are you using defineSecret in your codebase? I found a similar issue that could be related #5520, and I tried adding defineSecret to my codebase and I was able to get the same error message you shared:

functions: Failed to load function definition from source: FirebaseError: HTTP Error: 401, Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.

Hi, yes you need to have defineSecrets in the codebase and a function that depends on that secret to cause this issue (e.g. .runWith({ secrets: FUNCTION_SECRETS })

My workaround also addresses #5520 , per my local testing. My proposed fix should also be good

from firebase-tools.

Thanks for the additional information @glorat. I’ll raise this to our engineering team so they can take a look. Also, it looks like you have a potential fix for this, feel free to make a PR if you feel up for it! Contributions are always welcome!

from firebase-tools.

Thanks for the additional information @glorat. I’ll raise this to our engineering team so they can take a look. Also, it looks like you have a potential fix for this, feel free to make a PR if you feel up for it! Contributions are always welcome!

Unfortunately, I couldn't figure out how to make my hardcoded approach generic and I can't quite infer the design so not confident to PR it. My direction to the dev team is to look at resolveParams in params.ts. It already excludes .env related params from the secrets manager check so one just needs to extend that the secrets.local exclusion too. However, it's not clear how to do that. Options include

1. Just try to read it right there in that function
2. Get it passed it like UserEnvs already does
3. Refactor and reuse the existing .secret.local loading code in the main emulator

I think I'll need to leave that with the devs to decide.

from firebase-tools.

@glorat I am also facing this issue, can you share your hardcoded solution? I would like to see it if possible, I am currently adding a TEST env var to firebase command, TEST=true firebase emulators:exec vitest then added a break in the loop in params.js:

for (const param of needSecret) {
        if (process.env.TEST) {
            break;
        }
        await handleSecret(param, firebaseConfig.projectId);
    }

Works for now for me but keen to see another solution to compare. Thanks

from firebase-tools.

@glorat I am also facing this issue, can you share your hardcoded solution? I would like to see it if possible, I am currently adding a TEST env var to firebase command, TEST=true firebase emulators:exec vitest then added a break in the loop in params.js:

for (const param of needSecret) {
        if (process.env.TEST) {
            break;
        }
        await handleSecret(param, firebaseConfig.projectId);
    }

Works for now for me but keen to see another solution to compare. Thanks

That's the way to go. This is best since you're happy to modify a local copy.

An alternative is to set secrets through environment but if you do this be careful not to deploy functions from command line and send the environment to the cloud.

from firebase-tools.