Can't read environment variables at build

I’m congifuring my app so that I don’t commit any data to git that I don’t want (firebase json/plist files, SSO ID’s, etc.) and using eas secrets to provide them at build.

I’ve followed the instructions on Environment variables and secrets in EAS Build - Expo Documentation, however there are a few issues I’ve encountered.

My app.config.ts file is as follows:

import { ExpoConfig, ConfigContext } from "expo/config"
import * as dotenv from "dotenv"

dotenv.config({ path: ".env.local", override: true })

export default ({ config }: ConfigContext): ExpoConfig => ({
  ios: {
    googleServicesFile: process.env.GOOGLE_SERVICES_PLIST
  android: {,
    googleServicesFile: process.env.GOOGLE_SERVICES_JSON
  plugins: [
    ...config.plugins || [],
        appID: process.env.SSO_FB_APPID,
        clientToken: process.env.SSO_FB_CLIENT_TOKEN,
        displayName: "my-app",
        scheme: `fb${process.env.SSO_FB_APPID}`,

When running a build with eas, in the Read app config step I can see that it’s successfully parsed app.json and app.config.ts together: (output truncated)

Using app configuration
  "name": "my-app"
  "ios" {
    "googleServicesFile": "/home/expo/workingdir/environment-secrets/8feexxxx-xxxx-xxxx-xxxx-xxxxxxxx6649" // Redaction made by me
    "googleServicesFile": "/home/expo/workingdir/environment-secrets/b8b2xxxx-xxxx-xxxx-xxxx-xxxxxxxx6e77" // Redaction made by me
  "plugins": [
        "appID": "****************", // Redactions made by eas
        "clientToken": "********************************",
        "displayName": "my-app",
        "scheme": "fb****************"

But I error at the Prebuild step:

[stderr] CommandError: missing appID in the plugin properties

Which is referring to the appID property for the react-native-fbsdk-next plugin.

I can also confirm that the secrets are available at build. In the Spin up build environment step, I see:

Environment secrets:
  GOOGLE_SERVICES_JSON=/home/expo/workingdir/environment-secrets/b8b2xxxx-xxxx-xxxx-xxxx-xxxxxxxx6e77 // Redactions made by me
  SSO_FB_APPID=********  // Redactions made by eas

I’ve seen some stuff placing environment variables in eas.json, however I must be misinterpreting it as that defeats the whole point of secrets if you have to put them in in plaintext and commit them to my repository?
As you can see, I’m storing client secrets (SSO for FB and google services files), so they’re not exactly “secrets”, but it doesn’t feel right committing them into my repository, especially since the Expo documentation uses google service files as examples of things to not commit

Furthermore, if I run the build locally, and move my react-native-fbsdk-next config into my app.json file and hardcode the values, I then run into issues with the google services file:

[PREBUILD] Error: [android.dangerous]: withAndroidDangerousBaseMod: Path to google-services.json is not defined. Please specify the `` field in app.json.

…so the issue is just moving around to anything related to env vars, and it’s not specific to the plugin config.

Given that I’ve been able to confirm that my environment variables are indeed set, and that they are being transpired into the app.json the build is using, I’m not sure where else to go from here.

Thanks for any help! :slight_smile:

I’ve seen some stuff placing environment variables in eas.json , however I must be misinterpreting it as that defeats the whole point of secrets if you have to put them in in plaintext and commit them to my repository?

environment variables in EAS build profile config are meant for plaintext values, you don’t need to re-declare secrets there. secrets defined on your project through eas secret or on the website will automatically be loaded into your builds.

my guess is that maybe your dotenv configuration is somehow clobbering the values. i’d try removing that.

I’ve given it a go and removed any env variables from eas.json file and only relied on app.config.ts.

Even then I still run into issues where it complains about not finding the google-services.json file - which definitely should be a secret. Same goes when trying to set SSO_FB_APPID. It just can’t pick them up in the prebuild step.

prebuild has access to the environment variables the same as the rest of the build process. can you try creating a minimal reproducible example?