URGENT: App Hosting build fails with "PermissionDenied" on secrets, blocking all deployments. Platform bug suspected. #561
Description
My Firebase App Hosting backend is consistently failing during the build process, making it impossible to deploy my application. The failure occurs at the preparer step with a PermissionDenied error when trying to resolve secrets from Secret Manager.
I have exhausted every documented solution and have strong evidence to believe this is a platform-level bug, not a configuration error.
Project Information:
Project ID: gen-lang-client-0395827708
App Hosting Backend ID: kiss
Region: us-east4
Error Log: The build fails every time with this error, even after trying all fixes:
(error ID: 6b11cd49-78da-4868-a983-c2169a5b60b9):
{"reason":"Misconfigured Secret","code":"fah/misconfigured-secret", ... "rawLog":"getting secret version: rpc error: code = PermissionDenied desc = Permission 'secretmanager.versions.get' denied for resource 'projects/85782219182/secrets/WHOP_WEBHOOK_SECRET/versions/latest' (or it may not exist)."}
The Critical Finding: The Build SUCCEEDS Without Secrets
The most important piece of evidence is this:
If the env section is present in apphosting.yaml, the build fails with PermissionDenied.
If I completely remove the env section from apphosting.yaml, the build succeeds and deploys a new version to Cloud Run.
This proves that my repository, Dockerfile, and basic build process are correct. The failure is exclusively linked to the preparer step's inability to resolve secrets, despite correct IAM permissions.
Exhaustive Troubleshooting Steps Already Taken:
I have meticulously followed all documentation and community advice with no success:
Correct IAM Roles: Both required service accounts have the Secret Manager Secret Accessor role.
service-85782219182@gcp-sa-firebaseapphosting.iam.gserviceaccount.com
[email protected]
Official Grant Access Command: I have run firebase apphosting:secrets:grantaccess for all secrets linked to the backend. It completed successfully but did not fix the build error.
Full Secret Path: I modified apphosting.yaml to use the full, explicit secret path with the project number (e.g., projects/85782219182/secrets/MY_SECRET), as suggested in similar bug reports. The build still failed with PermissionDenied but on the correct, full path.
availability Workaround: I tested setting all secrets to availability: [RUNTIME]. The build still failed at the preparer step trying to access them, suggesting the availability flag is being ignored during the build.
Backend Re-creation: I have completely deleted and recreated the App Hosting backend, which did not solve the issue.
Secret Integrity: All secrets exist, have active versions, and are located in the correct project.
Conclusion: My project is completely blocked by what appears to be a platform bug where the App Hosting build environment does not honor the IAM permissions for secrets. I have done everything possible from my side.
Please investigate this as a high-priority issue.
Thank you.