0

I can't figure out why I keep getting the error: Error: Could not load the default credentials. Browse to https://cloud.google.com/docs/authentication/getting-started for more information.

firebase login from my command line returns that I am already logged in and I have configured my-app@appspot.gserviceaccount.com to be a Secret Manager Secret Accessor in the GCP IAM admin dashboard within the same project.

Here's the code I'm using:

const { SecretManagerServiceClient } = require("@google-cloud/secret-manager");
const client = new SecretManagerServiceClient();

const gcpSecretsLoader = async (secretName: string) => {
  try {
    const secret = await client.accessSecretVersion({
      name: `projects/my-app/secrets/${secretName}/versions/latest`,
    });
    const payload = secret.payload.data.toString("utf8");
    console.info(`Payload: ${payload}`);
  } catch (err) {
    console.log(err);
  }
};

gcpSecretsLoader("CLIENT_ID"); // CLIENT_ID matched a secret name within the secret manager
mpc75
  • 937
  • 9
  • 22
  • Where are you running this code? On your local laptop or on firebase? – sethvargo May 17 '20 at 21:20
  • 1
    If you are running this code locally, how are you specifying that your code should use the specified service account? Either set the environment variable `GOOGLE_APPLICATION_CREDENTIALS` to point to the service account JSON key file or specify the service account JSON key file when creating the Secret Manager client `SecretManagerServiceClient()`. Review `options.keyFilename` in https://github.com/googleapis/nodejs-secret-manager/blob/master/src/v1/secret_manager_service_client.ts – John Hanley May 17 '20 at 22:07
  • @sethvargo I am running locally. I'm connecting to firebase via the cli. – mpc75 May 17 '20 at 22:22
  • @JohnHanley thanks for the advice. I connected the keyFileName as an option as you suggested but I now get an error ```details: "Permission 'secretmanager.versions.access' denied for resource...``` I checked and the string I passed in matches the exact name of the secret (in my code above this is "CLIENT_ID". – mpc75 May 17 '20 at 22:53
  • The service account does not have permission to access the secret. – John Hanley May 17 '20 at 22:57
  • @JohnHanley ahh sorry for the naive question, and thanks for the patient response :) I enabled it properly and it all works now, thank you, happy to accept your answer if you'd like to post it! Last question a bit outside the scope, but now I fear that the sensitive contents of the service account json key file are in my local code, is there an industry standard on how to handle this other than gitignoring it? – mpc75 May 17 '20 at 23:39
  • Have you installed the [Cloud SDK](https://cloud.google.com/sdk) or followed the local setup instructions at: https://cloud.google.com/secret-manager/docs/reference/libraries#setting_up_authentication – sethvargo May 17 '20 at 23:40
  • You should not download a service account credential locally. Instead, download the SDK and then run `gcloud auth application-default login`. – sethvargo May 17 '20 at 23:41
  • @mpc75 Where will you be deploying this code? You should not have the service account file stored anywhere near your source code. After deploying in the cloud, use the default service account for the service to provide credentials. – John Hanley May 17 '20 at 23:58
  • 1
    @sethvargo and @JohnHanley thanks for sticking with this one, I'm sensing I'm getting in over my head and may not be using the right solution. I'm using Firebase Functions to deploy the code, and figured it might be better to centralize my secrets in Secret Manager rather than ```firebase functions:config:set```; however, considering my inexperience outside the realm of Firebase perhaps it's smarter for me just to stick with ```firebase functions:config:set```. – mpc75 May 18 '20 at 00:08

0 Answers0