extensions icon indicating copy to clipboard operation
extensions copied to clipboard
verified publisher icon firebase

🐛 [[Trigger Email]] SMTP password "There was an error creating a secret"

Open Spitzbua opened this issue 2 years ago • 1 comments

[READ] Step 1: Are you in the right place?

Extension name: firestore-send-email Extension version: 0.1.31

[REQUIRED] Step 2: Describe your configuration

SMTP-Password cannot be set

[REQUIRED] Step 3: Describe the problem

Steps to reproduce:

I am trying to configure the extension. I am assuming that I am supposed to enter my SMTP password into the field for it and then click "Create secret", but when I click the button, a small box pops up saying: "There was an error creating a secret".

I see the same error whether on the initial install attempt or if I install the extension and try to add the password via Manage Configuration later.

Expected result

The secret is successfully created and used by the extension

Actual result

Although i am the owner of the project following errors occur:

{ "error": { "code": 403, "message": "Permission 'secretmanager.secrets.setIamPolicy' denied for resource 'projects/471113337/secrets/firestore-send-email-SMTP_PASSWORD-tdy9' (or it may not exist).", "status": "PERMISSION_DENIED" } }

I tried manually creating the secret but it wont be picked by the extension.

Spitzbua avatar Mar 14 '24 07:03 Spitzbua

@Spitzbua are you still seeing this issue? is your project part of an organization which perhaps has some rules restricting the creation of secrets?

pr-Mais avatar May 27 '24 11:05 pr-Mais

Closing as stale, feel free to reopen if the issue persists and you can provide some more information as requested.

cabljac avatar Feb 11 '25 15:02 cabljac

SAME issue here.

Problem Description

The deployment of Firebase Extensions (specifically firestore-send-email) is failing due to a persistent permission error when trying to access Secret Manager. The error occurs during the extension's attempt to access the SMTP password secret, despite multiple attempts to configure appropriate IAM permissions.

Error Messages

Error: Permission 'secretmanager.secrets.getIamPolicy' denied for resource 'projects/(number)/secrets/ext-firestore-send-email-SMTP_PASSWORD'

Current Configuration Status

Working/Correctly Configured:

  1. Project Setup:
  • Project ID: (actual here)
  • Required APIs are enabled:
  • [firebaseextensions.googleapis.com](http://firebaseextensions.googleapis.com/)
  • [secretmanager.googleapis.com](http://secretmanager.googleapis.com/)
  • Other Firebase services (Functions, Storage, Firestore)
  1. Secret Configuration:
  • Secret ext-firestore-send-email-SMTP_PASSWORD exists in Secret Manager
  • Secret has a value set
  • Secret is in the correct format and location
  1. Service Accounts:
  • Extension service account exists: [ext-firestore-send-email@(project name).iam.gserviceaccount.com](mailto:ext-firestore-send-email@(project name).iam.gserviceaccount.com)
  • Service account is properly created and associated with the extension

Troubleshooting Steps Attempted:

  1. IAM Role Assignments:
  • Granted roles/secretmanager.admin to the extension service account
  • Granted roles/secretmanager.secretAccessor to the extension service account
  • Granted roles/owner to the Firebase Extensions service account at project level
  • Verified IAM bindings were successfully applied
  1. Secret Management:
  • Recreated the secret with explicit permissions
  • Verified secret exists and is accessible
  • Confirmed secret value is properly set
  1. Extension Configuration:
  • Removed the CCPA extension to isolate the issue
  • Attempted deployment with only the email extension
  • Verified extension configuration in firebase.json
  1. Environment Setup:
  • Confirmed environment variables are properly set
  • Verified .env files are correctly configured
  • Checked environment detection logic

What's Not Working:

  1. Extension Deployment:
  • Deployment consistently fails with the same permission error
  • Error persists despite all permission configurations
  • Issue occurs specifically during the extension's attempt to access the secret's IAM policy
  1. Permission Resolution:
  • None of the attempted IAM role configurations resolved the issue
  • Even project-level owner permissions did not resolve the error
  • The specific secretmanager.secrets.getIamPolicy permission remains inaccessible

Additional Context:

  • The error occurs during the extension's initialization phase
  • The issue appears to be specific to how the Firebase Extensions service interacts with Secret Manager
  • The error persists across multiple deployment attempts
  • The same configuration works for other Firebase services (Functions, Storage, etc.)

Impact:

  • Unable to deploy and use the Firebase Extensions for email functionality
  • Blocking the implementation of automated email notifications
  • Affecting the ability to send booking confirmations and other critical communications

This issue appears to be a potential bug in how Firebase Extensions interacts with Secret Manager, as all standard permission configurations have been attempted without success. The consistent nature of the error across different permission configurations suggests this might be a deeper issue with the extension service's implementation.

FYI, we removed one of the two functions, in hopes of getting 1 working (firebase ext:uninstall (actual here) : i extensions: ensuring required API firebaseextensions.googleapis.com is enabled... ✔ extensions: required API firebaseextensions.googleapis.com is enabled i extensions: Checking project IAM policy... ✔ extensions: Project IAM policy OK Removed extension instance (actual here) from firebase.json Removed extension instance environment config extensions/(actual here)) bu that didn't work.

STEPS WE ULTIMATELY TOOK: deleted all Firebase extensions and used other non-extension options

mgav avatar Apr 18 '25 10:04 mgav