0

I'm trying to setup a Firebase project on Codeship CI/CD and I cannot seem to get the service credentials JSON key to work with my project when it's stored in an environment variable.

MVCE

Dev environment startup script

export FIREBASE_CREDENTIAL=BASE64ENCODED_credentials_json
export DATABASE_URL=https://my-project.firebaseio.com

echo $FIREBASE_CREDENTIAL | base64 -D > FIREBASE_CREDENTIAL.json
npm start

index.ts

import * as admin from "firebase-admin";

const credentials = require("../FIREBASE_CREDENTIAL.json");
const databaseURL = process.env.DATABASE_URL;

console.log(credentials.project_id); // succeeds
console.log(databaseURL); // is correct

admin.initializeApp({
  ...credentials,
  databaseURL,
  databaseAuthVariableOverride: { uid: "scraper" }
});

admin
  .database()
  .ref("/test")
  .set(admin.database.ServerValue.TIMESTAMP);

Codeship script

echo $FIREBASE_CREDENTIAL | base64 -di > FIREBASE_CREDENTIAL.json
nvm install 8
npm install
npm test

Results

On dev machine, the write succeeds as expected

On Codeship CI container, I get this error. 

console.warn node_modules/@firebase/logger/dist/index.cjs.js:66
    [2018-10-05T12:53:51.316Z]  @firebase/database: FIREBASE WARNING: {"code":"app/invalid-credential","message":"Credential implementation provided to initializeApp() via the \"credential\" property failed to fetch a valid Google OAuth2 access token with the following error: \"Failed to parse access token response: Error: Error while making request: getaddrinfo ENOTFOUND metadata.google.internal metadata.google.internal:80. Error code: ENOTFOUND\"."}
Luke Pighetti
  • 4,541
  • 7
  • 32
  • 57
  • That error message doesn't look like it has anything to do with the fact that you're trying to use an env var. I suggest you show the [MCVE](https://stackoverflow.com/help/mcve) of your code that's failing, and say more about how you're trying to invoke it. – Doug Stevenson Oct 04 '18 at 21:32
  • Hi Doug, it's like the string is getting corrupted between setting it and reading it. I have also tried encoding it in base64. This is an attempt to setup a CI pipeline on Codeship – Luke Pighetti Oct 04 '18 at 23:37
  • As I suggested, it makes sense to show exactly what you're doing to set all this up. Otherwise we're just left guessing what's going on. – Doug Stevenson Oct 04 '18 at 23:42
  • Hi Doug, thanks for the help. Just rewrote my question to be more complete. Hope it's helpful. Thanks again. – Luke Pighetti Oct 05 '18 at 00:07
  • Possible duplicate of [Using Node.JS, how do I read a JSON object into (server) memory?](https://stackoverflow.com/questions/10011011/using-node-js-how-do-i-read-a-json-object-into-server-memory) – Martin Zeitler Oct 05 '18 at 00:23
  • @DougStevenson can I use a CI token for this? Or is that only for deploying? – Luke Pighetti Oct 05 '18 at 01:07
  • @MartinZeitler It is not a duplicate of that. – Luke Pighetti Oct 05 '18 at 01:31
  • @LukePighetti when not running on GCP, it should be obvious why it cannot resolve for `metadata.google.internal`. – Martin Zeitler Oct 05 '18 at 01:38
  • @MartinZeitler I don't get that error when I run on my iMac. I only get that error when I try to store my `firebase-admin` certs in an environment variable so I can use it for integration testing in a CI pipeline. My iMac is not running on GCP, so I don't think that's the problem? – Luke Pighetti Oct 05 '18 at 02:02
  • I feel like I must be misunderstanding something stupid. I have a Node.js service that uses `firebase-admin` that is tested/deployed by a CI pipeline. I am having a terrible time trying to get this cert into my CI pipeline without checking it into version control. I need it for testing because I do reads/writes to a scratch database for integration testing. I cannot find any mention of this online and I don't understand how I am the first person to have this problem. Any insight is much appreciated, I'm at a loss here. – Luke Pighetti Oct 05 '18 at 02:09
  • How do you know that `echo $FIREBASE_SERVICE_KEY | base64 ...` is working the way you expect? Have you examined the output file? – Doug Stevenson Oct 05 '18 at 03:16
  • Yes I have. I have used this process on my dev machine and confirmed that it works. I have console.log the result on my CI server and confirmed the output. – Luke Pighetti Oct 05 '18 at 10:16
  • Updated my question with MVCE – Luke Pighetti Oct 05 '18 at 13:02
  • I have tried committing my credentials file to my repo and passing it to Codeship and I have the same problem. I suspect this is an issue with Codeship. – Luke Pighetti Oct 05 '18 at 14:20
  • Just tried this on Bitbucket Pipelines and I'm having the same error. So it's not a Codeship problem. – Luke Pighetti Oct 05 '18 at 15:06
  • `metadata.google.internal:80` is not available from my container, or anywhere. Why is Firebase Admin trying to connect to an internal Google address? @MartinZeitler – Luke Pighetti Oct 05 '18 at 16:10
  • Just tried this outside of my Jest tests and its failing both in and out. It's not a Jest issue. – Luke Pighetti Oct 05 '18 at 18:09
  • Just tried syncing the container time manually and the problem persists. – Luke Pighetti Oct 05 '18 at 18:09
  • Are you certain this `...credential` syntax is doing what you expect? Note that what you're doing there is very different than what the documentation shows: https://firebase.google.com/docs/admin/setup#initialize_the_sdk – Doug Stevenson Oct 05 '18 at 19:10
  • Hey Doug, I just came here to inform you that I found the problem and then saw your comment. Your comment is absolutely correct. That was my issue. Thank you for the help. Should I delete this? – Luke Pighetti Oct 05 '18 at 20:27

0 Answers0