All secrets managed by firebase are pruned when I set a new version of one

[fgruchala]

[REQUIRED] Environment info

firebase-tools: 10.7.0

Platform: Ubuntu & macOS

[REQUIRED] Test case

firebase functions:secrets:set SECRET_NAME

This SECRET_NAME has to be labeled firebase-managed: true and used in a Cloud Function.

[REQUIRED] Steps to reproduce

[REQUIRED] Expected behavior

Just the SECRET_NAME has to be set and prune old version.
Not all ANOTHER_SECRET_NAME flagged firebase-managed: true

[REQUIRED] Actual behavior

It seems to prune all secrets flagged firebase-managed: true

[dimadeveatii]

I can confirm this issue, it happened to me as well.

When updating a secret, it asks you to redeploy all functions that uses it. Once you deploy them, it looks like it just prunes all other secrets that are used by other functions (without any confirmation).

This is quite critical, as in my case I ended up having a lot of secrets being destroyed.

[taeold]

Thanks for the feedback folks. It looks like our attempt to clean things up in order to make secrets less expensive to use is causing more trouble than I've anticiapted. I'm going back to the drawing boards to improve the UX of the pruning and will rollback automatic secret pruning after deploy.

You'll likely want to use firebase functions:secrets:prune from time to time to keep your # of secrets under the free quota!

[dimadeveatii]

@taeold using 10.8.0 and running firebase deploy --only functions still results in secrets being pruned without any prompt/confirmation message. Is it possible to completely disable auto pruning of secrets?

[dimadeveatii]

@taeold using 10.8.0 and running firebase deploy --only functions still results in secrets being pruned without any prompt/confirmation message. Is it possible to complete disable auto pruning of secrets?

In our case this is what happened:

• We configured all production secrets (~15 secrets)
• We then deployed only one function using firebase deploy --only functions:my-func that uses one of the secrets
• Result: all other secrets are pruned upon function deployment

And there is no workaround, it means we have to deploy all functions all-together if we want secrets not to be pruned.

[cayleyh]

We had this happen when a new deploy went out via CI. We didn't set or change any secrets or versions, but the prune command removed everything anyway (!).

We're now forcing 10.7 to be used until this can get addressed correctly.

[colerogers]

@dimadeveatii @cayleyh

Hey folks, I'm not able to re-produce the pruning behavior that you're experiencing. Here's what I did:

• Updated to the latest firebase-tools and firebase-functions
• Create 3 new secrets using the CLI command (firebase functions:secrets:set SECRET_NAME)
• Create 3 functions that each use one of the secrets
• Run firebase deploy --only functions:$FUNC to deploy only one of the functions

The secrets that are not is use are not being pruned. Did I miss something in the above steps? Thanks

[mthomas-io]

@colerogers which version did you use? I think this just got fixed yesterday with the 10.9.2 release https://github.com/firebase/firebase-tools/releases/tag/v10.9.2 which fixed #4540 and I think is a duplicate of this issue.

[emilioiz]

@colerogers I agree with @mthomas-io findings. I just spent hours trying to figure out what was going on to my function secrets and reviewing the docs over and over until I landed here. Nothing was working until I updated firebase-tools again. Then it all started working as expected.

[colerogers]

Yep you're correct, I was using the latest for both (10.9.2 for firebase-tools and 3.21.1 for firebase-functions). Apologies for the headache everyone! If the latest release works for everyone here, I'm going to close out this issue.

[cayleyh]

@colerogers not sure if it's possible, but can the broken versions be pulled from NPM? This caused pretty serious live ops issues for us and I'd hate for someone else to have it happen because the happen to get one of these versions somehow.