firebase-tools: Version 11.2.2 and higher do not attach secrets to functions upon deploy when using Firebase Functions SDK

[REQUIRED] Environment info

firebase-tools: 11.2.2,11.3.0 or 11.4.0 (has bug)

firebase-tools: 10.9.2 and 11.1.0 succeeds (no bug)

Platform: macOS

[REQUIRED] Test case

Have a function with runWith secrets:

export const playground = functions
  .runWith({
    secrets: [
      'TEST_SECRET',
    ],
  })
  .https.onRequest(app());

[REQUIRED] Steps to reproduce

Deploy the function:

firebase deploy --project projectId --config firebase.json --only functions:playground

[REQUIRED] Expected behavior

The secret should be attached to the function, as it is in 10.9.2 and 11.1.0.

[REQUIRED] Actual behavior

There is no log about attaching the TEST_SECRET in the buggy versions when deploying, whereas 10.9.2 and 11.1.0 do attach the secret. Inside the function, inspecting process.env.TEST_SECRET shows undefined in the buggy versions.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 3
  • Comments: 26 (7 by maintainers)

Commits related to this issue

Most upvoted comments

@taeold I did some digging between 11.1.0 and 11.8.0. The issue appears to be that there was a change from discoverBackend to discoverBuild. Unfortunately, discoverBuild calls addResourcesToBuild which does not contain the block of code to copy the secrets to secretEnvironmentVariables that addResourcesToBackend does at https://github.com/firebase/firebase-tools/blob/v11.8.0/src/deploy/functions/runtimes/node/parseTriggers.ts#L496-L507

Looks like it was related to this change: https://github.com/firebase/firebase-tools/commit/39bf06e80b79c933a8a3fa5b471962e9d1b02b7c

+5
tpodom on Aug 24, 2022

@taeold I’ve got a debug log attached. But, I think I know why you weren’t able to reproduce it.

In my setup, my functions are part of a workspace so the npm list firebase-functions --json=true doesn’t return expected format. As a result, the sdkVersion ends up empty and it falls back to parseTriggers which still returns secrets instead of secretEnvironmentVariables.

If I break my package out as a standalone package it parses the firebase-functions version successfully and goes into discovery.detectFromPort which returns secretsEnvironmentVariables and carries forward successfully.

Here’s an example of the npm list output that is tripping it up:

{
  "version": "0.1.0",
  "name": "@tpodom/root",
  "dependencies": {
    "@tpodom/functions": {
      "resolved": "file:../../packages/functions",
      "dependencies": {
        "firebase-functions-test": {
          "version": "2.3.0",
          "resolved": "https://registry.npmjs.org/firebase-functions-test/-/firebase-functions-test-2.3.0.tgz",
          "dependencies": {
            "firebase-functions": {
              "version": "3.22.0"
            }
          }
        },
        "firebase-functions": {
          "version": "3.22.0",
          "resolved": "https://registry.npmjs.org/firebase-functions/-/firebase-functions-3.22.0.tgz"
        }
      }
    }
  }
}

broken.debug.log.gz

+2
tpodom on Aug 27, 2022

Not sure, I have not test this flow for such time

+1
Thaina on May 23, 2023

I still got this warning in 11.16.0 when run in firebase emulator

{“severity”:“WARNING”,“message”:“No value found for secret parameter "DIALOGFLOW_KEYFILE". A function can only access a secret if you include the secret in the function’s dependency array.”}

{“severity”:“WARNING”,“message”:“No value found for secret parameter "FACEBOOK_TOKENS". A function can only access a secret if you include the secret in the function’s dependency array.”}

image

This is my code


const functionsParams = require('firebase-functions/params');
var FACEBOOK_TOKENS = functionsParams.defineSecret("FACEBOOK_TOKENS");
var DIALOGFLOW_KEYFILE = functionsParams.defineSecret("DIALOGFLOW_KEYFILE");

exports.WebHook = functions.region("asia-east1").runWith({ secrets: [FACEBOOK_TOKENS,DIALOGFLOW_KEYFILE] }).https.onRequest(async (request,response) => {
	console.log(DIALOGFLOW_KEYFILE.value());
	console.log(FACEBOOK_TOKENS.value());

Even I have set my secret properly

image

It also have weird behaviour that 1 in 10 times it might get the value for unknown reason

+1
Thaina on Nov 15, 2022

@protyze Are you also using something like yarn/npm workspaces the way @tpodom described?

+1
taeold on Sep 1, 2022

@tpodom Thanks for following up. That gives me some closure on why things weren’t working as I’d expect.

Monorepo isn’t something we failed to consider when developing in the CLI, and this is yet another reason for us to pay more attention to it. Same story with yarn pnp support.

We have a 4 year old issue - https://github.com/firebase/firebase-tools/issues/653 - if anything you’ll hear us from this. Thanks you again for helping us understand the issue better.

+1
taeold on Sep 1, 2022

I’m seeing this as well. Is there anything I can do to help get to the bottom of the issue? I’m using firebase-functions 3.22.0 and firebase-tools 11.7.0.

I didn’t notice the issue at first because functions that were previously deployed with secrets still show secrets in Google Cloud. But, deploying new secrets is not working. If I manually add the secret to the function in Google Cloud it seems to stick around after redeploy.

This issue doesn’t seem to be a problem with the emulator, it’s just when it creates the function in Google Cloud from firebase deploy.

+1
tpodom on Aug 23, 2022
Read more comments on GitHub
← firebase-tools: verifyDeveloperNodeModules() fails to discover "firebase-admin"
firebase-tools: Very slow initial query to Firestore emulator →