Firebase CLI Fails to Deploy Functions with Secrets, Misreports as IAM Issue

[SamuelWakoli]

[REQUIRED] Environment info

firebase-tools: 14.8.0

Platform: Ubuntu 25.04

[REQUIRED] Test case

A 2nd gen Cloud Function with a secret:

const { defineSecret } = require('firebase-functions/params');
const { onCallGenkit } = require('firebase-functions/https');
const secret = defineSecret('MY_SECRET');
exports.myFunction = onCallGenkit({ secrets: [secret] }, async () => {});

.env file: MY_SECRET=value
[REQUIRED] Steps to reproduce

Enable APIs (cloudfunctions.googleapis.com, cloudbuild.googleapis.com, secretmanager.googleapis.com).
Run firebase deploy --only functions.
See failure with IAM error (screenshot attached):

i functions: Failed to verify the project has correct IAM bindings.
i functions: gcloud projects add-iam-policy-binding <project-id> --member=serviceAccount: --role=roles/monitoring.metricWriter
...
Error: Failed to modify IAM policy for the project.

Verify IAM roles (roles/monitoring.metricWriter, roles/cloudtrace.agent, roles/logging.logWriter) are assigned.
Requested owner role from admin, but issue persisted.
Manually created secret with gcloud:echo -n "value" | gcloud secrets create MY_SECRET --project= --data-file=-

Granted roles/secretmanager.secretAccessor to service account.
Retry firebase deploy --only functions, which succeeded.

[REQUIRED] Expected behavior

Firebase CLI auto-creates secrets from .env in Secret Manager.
Grants roles/secretmanager.secretAccessor to the service account.
Deploys without false IAM errors.

[REQUIRED] Actual behavior

CLI fails to set up secrets, misreports as IAM issue.
Shows incomplete gcloud commands (missing service account).
Deployment halts despite correct IAM roles.

Debug Logs (from screenshot):
i functions: Failed to verify the project has correct IAM bindings.
i functions: gcloud projects add-iam-policy-binding <project-id> --member=serviceAccount: --role=roles/monitoring.metricWriter
i functions: gcloud projects add-iam-policy-binding <project-id> --member=serviceAccount: --role=roles/cloudtrace.agent
i functions: gcloud projects add-iam-policy-binding <project-id> --member=serviceAccount: --role=roles/logging.logWriter
Error: Failed to modify IAM policy for the project.

Additional Context

• Issue arose with a secret-using function (e.g., triggerAgenticMatching).
• Owner role request didn’t resolve it; manual gcloud secret setup fixed it.
• 23 other functions (HTTP, Firestore, webhook) deployed successfully post-fix.
• Tied to 2nd gen functions and Secret Manager integration.

Suggested Fix

• Auto-create secrets from .env in Secret Manager.
• Auto-grant roles/secretmanager.secretAccessor.
• Fix IAM error reporting for secret issues.

Notes

• The screenshot confirms the IAM misreporting issue from your earlier log.
• The manual gcloud command (gcloud secrets create) resolved the Secret Manager setup, highlighting the Firebase CLI's deficiency.
• The issue is concise, fits the template, and avoids sensitive data while referencing your experience with admin escalation and the workaround.

[google-oss-bot]

This issue does not seem to follow the issue template. Make sure you provide all the required information.

[SamuelWakoli]

Additional index.js information, I hope it helps:

[joehan]

Hi @SamuelWakoli - if you have them, could you also share the firebase-debug.log? That will help us identify what call is actually failing here

[SamuelWakoli]

Hello @joehan
Unfortunately the log file deleted itself, I never used the --debug flag on my functions deploy command;

In general I think the call failing here is when you skip/forget creating secrets using firebase functions:secrets:set or gcloud secrets create;

That is how the deploy functions command kept showing IAM Policy error for service accounts, instead of showing that I have not yet created the intended secret;