Automatic Lambda cross-env variables / secrets

[redjonzaci]

Amplify CLI Version

12.2.3

Question

I tried amplify update function and added an environment secret.
I thought that it would automatically be added to any new env I created, but it didn't.
Now the problem is that we only use PR preview environments and the build fails because the environment secret has no value for this new env.
What would be the suggested approach to use an environment secret in every env,
without having to manually add it whenever a new env is created?

[ykethan]

Hey @redjonzaci, this is currently not supported in Amplify CLI. As this would pose security issues in your environment.
If you would like to still implement this feature, I would suggest utilizing Amplify hooks with the AWS SDK like

1. creating a pre-push hook to read SSM parameters by path prefix with the env you want to copy from.
2. then create SSM Parameters 1:1 with the PR Preview env name
   documentation: https://docs.amplify.aws/cli/reference/ssm-parameter-store/

[redjonzaci]

Hey @ykethan thanks for the response!
If I am creating new envs only when I create new PRs, would the solution you are describing work so that my first build doesn't fail and then the env secret would be set on the Lambda?

I think I understand that we could set the secrets on a "main" env and then on each new PR copy those, but how would the Lambda access them? Or is that done automatically, when secrets with that Lambda's name exist in the env?

[ykethan]

Hey @redjonzaci, the permissions for SSM access is generated with the env cfn parameter. To mitigate the build failures you could try setting the Point all Pull Requests for this branch to an existing environment which should build the preview on a existing env.

related: #12950

[redjonzaci]

@ykethan I got a little confused by the answer, and I couldn't find the "Point all Pull Requests" option,
but for now, we will create a SSM parameter manually and then make a request to retrieve it whenever we need it.

[ykethan]

@redjonzaci the Point all Pull Requests for this branch to an existing environment should be availble in the AWS Amplify console under App settings -> Preview -> select a branch -> Click on Manage, the option should show in a popup.

[josefaidt]

Hey @redjonzaci are you still experiencing this? Were you able to successfully set up and use secrets/env vars in SSM for PR previews?

[redjonzaci]

@ykethan I got a little confused by the answer, and I couldn't find the "Point all Pull Requests" option, but for now, we will create a SSM parameter manually and then make a request to retrieve it whenever we need it.

Hey @josefaidt, we settled on this solution, so for the moment, it's okay.

[ykethan]

@redjonzaci thank you for the confirmation. closing the issue, please feel free in reaching out to us again.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.