I’m having trouble deploying my Firebase Functions through Github Actions. I recently upgraded to 2nd Gen functions and switched to Firebase Secrets. Now I’m getting a 403 error.
The error says I don’t have permission for ‘secretmanager.secrets.setIamPolicy’ on my project’s secrets. I’ve checked and all the secrets are there in Google Cloud.
I’ve tried giving the service account more roles like Secret Manager Admin, Project IAM Admin, and even Editor. But nothing’s working.
Here’s a snippet of my Github Actions config:
- name: Deploy to Firebase
uses: w9jds/firebase-action@master
with:
args: deploy --project myapp --only functions,firestore,storage --force
env:
GCP_SA_KEY: ${{ secrets.MY_GCP_KEY }}
Any ideas on how to fix this? I’m totally stuck. Thanks for any help!
hey there jackHero, i’ve run into similar issues before. have you tried using the Cloud Functions Developer role instead? it’s more specific to functions and might solve your problem. also, double-check that your service account has the right permissions in both firebase and gcp. good luck!
yo jack, been there done that. try checkin ur service account has ‘Secret Manager Secret Accessor’ role in GCP not just Firebase. sometimes the issue is there. also, maybe regenerate ur GCP_SA_KEY and update it in GitHub. that fixed it for me once. gl mate!
I encountered a similar issue recently. The key was updating the service account permissions in Google Cloud, not just Firebase. Make sure your service account has the ‘Secret Manager Secret Accessor’ role specifically. This allows it to access secrets without the broader permissions that were causing issues for you.
Also, verify that your GCP_SA_KEY in GitHub secrets is up-to-date. Sometimes regenerating the key and updating it in GitHub can resolve unexpected permission issues.
If those don’t work, try running the deployment locally with firebase-tools CLI using the same service account. This can provide more detailed error messages to pinpoint the exact permission gap.
I’ve been through this headache before, and it’s a tricky one. The issue likely stems from the transition to 2nd Gen functions and Firebase Secrets. One thing that worked for me was explicitly granting the ‘secretmanager.admin’ role to the service account. This role provides full control over secrets, which seems to be what the deployment process needs.
Additionally, make sure your service account has the ‘cloudfunctions.developer’ role. This combo should cover most bases for function deployment and secret management.
If you’re still hitting walls, try breaking down the deployment into smaller steps. Deploy functions separately from firestore and storage. This can help isolate where exactly the permission issue is occurring.
Lastly, double-check that your GCP project ID in the GitHub Actions config matches exactly with your Firebase project ID. Mismatches here can cause unexpected permission errors.