aalej
commented
17 hours ago Hey @glorat, thanks for the detailed report and for sharing your observations. I’ve been trying to reproduce this issue, but so far I haven’t been able to replicate the behavior mentioned. Here’s my current setup for reproducing the issue:
functions/index.js
import * as functions from "firebase-functions/v1"
const FUNCTION_SECRETS = ["FIRST_SECRET"]
export const helloWorld1 = functions
.runWith({ secrets: FUNCTION_SECRETS }).https.onRequest((request, response) => {
response.send("Hello from Firebase!" + process.env.FIRST_SECRET);
});
export const processUploadedFile = functions
.runWith({ secrets: FUNCTION_SECRETS })
.storage.object()
.onFinalize(() => {
functions.logger.debug(`The first secret is ${process.env.FIRST_SECRET}`)
})functions/.secret.local
FIRST_SECRET=local-secret-firstNo errors were raised running firebase emulators:start --project demo-project as well as when invoking the functions.
Just to verify, are you using defineSecret in your codebase? I found a similar issue that could be related #5520, and I tried adding defineSecret to my codebase and I was able to get the same error message you shared:
functions: Failed to load function definition from source: FirebaseError: HTTP Error: 401, Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
glorat
[REQUIRED] Environment info
firebase-tools: 13.12.0
Platform: macOS
[REQUIRED] Test case
A firebase function that depends on a secret. E.g.
Also have a .secret.local file that defines all required secrets
[REQUIRED] Steps to reproduce
With no firebase or application default credentials in place (or being offline)
firebase --project demo-my-project-id emulators:start[REQUIRED] Expected behavior
Since .secret.local is defined, we should not worry if secrets manager is inaccessible (due to lack of credentials or being offline) since we assume user has populated .secret.local properly. I expect any issues to be handled at runtime with
⬢ functions: Unable to access secret environment variables from Google Cloud Secret Manager. Make sure the credential used for the Functions Emulator have access or provide override values in /.../functions/.secret.local:as correctly handled byresolveSecretEnvs[REQUIRED] Actual behavior
⬢ functions: Failed to load function definition from source: FirebaseError: HTTP Error: 401, Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.Through debugging with local firebase-tools, this is happening in the functions deploy phase, where the issue is at
resolveParamswhich has the following codewhich requires caller to have access to the secret manager APIs to succeed.
Commenting out the call to handleSecret gives me the expected behaviour - if I have no credentials or even if I'm offline, the emulator starts with functions and my full stack operates as expected.
Background
The background is that I'm trying to get the emulator to work while fully offline as I'll be travelling without internet for a while and have been following advice from #3916 and elsewhere. This is the only issue that needs to be resolved for me to work offline.
Workaround
I have built a local copy of firebase-tools and commented out the
await handleSecretline and am okay now.Proposed fix
The best fix is for
handleSecretin params.ts to check for the existence of the secret in .secret.local before making the call out to secret manager. Centralise the code inresolveSecretEnvsin functionsEmulator for reuse.Or if it were me doing the PR, after line 385 in params.ts, I'd load .secret.local there, then for any matched secret, ignore the call to handleSecret.
I am open to making a PR for this patch if requested (since I'm using a local copy of firebase-tools anyway and can test easily).