I try to use cloud secret manager in combination with firebase app hosting, but app hosting can't fetch the keys from the secret manager when it's building.

My apphosting.yaml file looks like this:

env:
-   variable: NEXT_PUBLIC_FIREBASE_API_KEY
    secret: NEXT_PUBLIC_FIREBASE_API_KEY
-   variable: NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN
    secret: NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN
-   variable: NEXT_PUBLIC_FIREBASE_PROJECT_ID
    secret: NEXT_PUBLIC_FIREBASE_PROJECT_ID
-   variable: NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET
    secret: NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET
-   variable: NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID
    secret: NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID
-   variable: NEXT_PUBLIC_FIREBASE_APP_ID
    secret: NEXT_PUBLIC_FIREBASE_APP_ID
-   variable: NEXT_PUBLIC_FIREBASE_MEASUREMENT_ID
    secret: NEXT_PUBLIC_FIREBASE_MEASUREMENT_ID
-   variable: TURNSTILE_SECRET_KEY
    secret: TURNSTILE_SECRET_KEY
-   variable: TURNSTILE_SITE_KEY
    secret: TURNSTILE_SITE_KEY
-   variable: RECAPTCHA
    secret: RECAPTCHA

I've added the secrets with the following command and I see them in the cloud secret manager: firebase functions:secrets:set NEXT_PUBLIC_FIREBASE_API_KEY --project xx

Later I gave them the following principals with the role Secret Manager Secret Accessor:

1. [email protected]
2. [email protected]

I also tried with the command firebase apphosting:secrets:grantaccess NEXT_PUBLIC_FIREBASE_API_KEY, but that gave me the error apphosting did exist.

xx = my project name

Anyone have an idea what I'm missing? When I build I receive this error:

Misconfigured secret Error resolving secret version with name=projects/xx/secrets/NEXT_PUBLIC_FIREBASE_API_KEY/versions/latest. Please ensure the secret exists in your project and that your App Hosting backend has access to it. If the secret already exists in your project, please grant your App Hosting backend access to it with the CLI command 'firebase apphosting:secrets:grantaccess'

I try to use cloud secret manager in combination with firebase app hosting, but app hosting can't fetch the keys from the secret manager when it's building.

My apphosting.yaml file looks like this:

env:
-   variable: NEXT_PUBLIC_FIREBASE_API_KEY
    secret: NEXT_PUBLIC_FIREBASE_API_KEY
-   variable: NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN
    secret: NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN
-   variable: NEXT_PUBLIC_FIREBASE_PROJECT_ID
    secret: NEXT_PUBLIC_FIREBASE_PROJECT_ID
-   variable: NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET
    secret: NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET
-   variable: NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID
    secret: NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID
-   variable: NEXT_PUBLIC_FIREBASE_APP_ID
    secret: NEXT_PUBLIC_FIREBASE_APP_ID
-   variable: NEXT_PUBLIC_FIREBASE_MEASUREMENT_ID
    secret: NEXT_PUBLIC_FIREBASE_MEASUREMENT_ID
-   variable: TURNSTILE_SECRET_KEY
    secret: TURNSTILE_SECRET_KEY
-   variable: TURNSTILE_SITE_KEY
    secret: TURNSTILE_SITE_KEY
-   variable: RECAPTCHA
    secret: RECAPTCHA

I've added the secrets with the following command and I see them in the cloud secret manager: firebase functions:secrets:set NEXT_PUBLIC_FIREBASE_API_KEY --project xx

Later I gave them the following principals with the role Secret Manager Secret Accessor:

1. [email protected]
2. [email protected]

I also tried with the command firebase apphosting:secrets:grantaccess NEXT_PUBLIC_FIREBASE_API_KEY, but that gave me the error apphosting did exist.

xx = my project name

Anyone have an idea what I'm missing? When I build I receive this error:

Misconfigured secret Error resolving secret version with name=projects/xx/secrets/NEXT_PUBLIC_FIREBASE_API_KEY/versions/latest. Please ensure the secret exists in your project and that your App Hosting backend has access to it. If the secret already exists in your project, please grant your App Hosting backend access to it with the CLI command 'firebase apphosting:secrets:grantaccess'

• firebase
• firebase-tools
• firebase-app-hosting

Share Improve this question Follow edited Feb 27 at 19:28 Doug Stevenson 318k3636 gold badges456456 silver badges473473 bronze badges Recognized by Google Cloud Collective asked Feb 27 at 18:38 rafbanaanrafbanaan 45133 gold badges1111 silver badges3535 bronze badges 1

• firebase apphosting:secrets:grantaccess command must be run with --backend parameter. Example: firebase apphosting:secrets:grantaccess VARIABLE_NAME --backend appname. Are you sure you got this command right? – Raghavendra N Commented Mar 5 at 10:36

Add a comment  | 

2 Answers 2

Sorted by: Reset to default 1

Found the solution.. I missed an important install and the errors weren't making it very clear what I was missing.

I had to run the following command: curl -sL https://firebase.tools | bash

After this I could run the command from above answers, but I had to provide the project too:

firebase apphosting:secrets:grantaccess NEXT_PUBLIC_FIREBASE_API_KEY --backend xx --project xx

With --backend xx being the apphosting backend like @Alex Kempton was stating.

I had the exact same issue, and I can confirm that the comment from @raghavendra-n was the answer for me. You need to find the name of your backend, which is at the top of the App Hosting section of the firebase console.

firebase apphosting:secrets:grantaccess VARIABLE_NAME --backend appname

This then sets up some IAM stuff which made my deployment work.