-
Notifications
You must be signed in to change notification settings - Fork 821
-
Notifications
You must be signed in to change notification settings - Fork 821
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add env vars into lambda functions #684
Comments
@mrcoles you can set environment variables for the Lambda functions within the CloudFormation template: |
@troygoode thx for the link! IMO that’s not a good solution, because it would require putting secret keys into my git repo, which is a common anti-pattern for security. For now, I think I’m going to just manually enter the environment variables into the lambda functions via the AWS lambda console and keep that step in a launch checklist that I have to manually review. If I could expose them from the centralized AWS Amplify console, then that would be the best, as there’s a single source of truth for these environment variables and it’s separated from my codebase. |
@mrcoles Ah yes, I agree RE: secret keys. We're using AWS Secret Manager for those (and giving the Lambda access to the correct secret): const AWS = require('aws-sdk')
module.exports = async () => {
const secretsManager = new AWS.SecretsManager()
const secret = await secretsManager.getSecretValue({ SecretId: 'YOUR_KEY' }).promise()
if (!secret) {
throw new Error('Secret not found')
}
return JSON.parse(secret.SecretString)
} Add to the {
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": {
"Fn::Sub": [
"arn:aws:secretsmanager:${region}:${account}:secret:YOUR_KEY",
{
"region": {
"Ref": "AWS::Region"
},
"account": {
"Ref": "AWS::AccountId"
}
}
]
}
} |
@troygoode that’s helpful, thx! The snippet and policy are great! However, for the AWS Console/CLI I still have the feature request for one place to set these (that way misconfigurations are way less likely). |
Is there any progress on this front, I would like to be able to create environment variables in my lambda cloudformation template by passing them as parameters to the template. (ideally during an 'amplify push') |
Today we released an updated flow as a part of the functions category to pass resource identifiers like the cognito userpool ID (managed and genrated by the Amplify CLI) to a lambda function as environment variables and also populate the corresponding lambda execution role to access these resources. You can install the latest version of the CLI and go through the |
@kaustavghosh06 are there docs on this? |
@kaustavghosh06 How can you access the DynamoDB table generated using PS: I tried reverse engineering how Amplify adds environment variables. I created a Lambda function using the |
I also started using AWS Secrets Manager. The
That allows you to create secrets with the following patterns:
|
@kaustavghosh06 why this issue was closed man? "Today we released an updated flow as a part of the functions category to pass resource identifiers like the cognito userpool ID ..." where are the docs? I saw this same comment from you many times here in many issues, sorry dude but we're not clairvoyant, we just want to use amplify. Thanks. |
@LucasAndrad Sorry for not attaching a link to the docs when closing the issue. But here's the doc reference - https://docs.amplify.aws/cli/function#function-templates You can jump to - |
@kaustavghosh06 I think what @LucasAndrad meant is that your permission related solution is a workaround which requires custom AWS Resources, and does not allow one to add new ENV vars to a Lambda from the CLI. I think the ticket was meant as a way to be done through the CLI, which would be nice to have. |
Yes, the issue I am running into is getting non AWS related environment variables from Amplify to Lambda without having to access the console and keeping the configuration mostly in code. If there was a way either via the CLI or the Cloudformation stack (AS A REF - so secrets are not in source repo), things would be a lot more convenient. |
I'm very close to getting this working but getting an error saying the lambda does not have access to call |
@ventinus It's not clear what you are or are not doing so I'm going to run down the gamut. First, make sure your lambda and secret share regions. Otherwise in your lambda you may need to switch regions before querying secrets manager. Now, when I set this up I setup the permission as * (I should probably adjust that!), so it may be that you need another permission like ListSecret or DescribeSecret, honestly I'm not sure. I'd try adding read permissions if the error is unclear. If that's not the issue, you might not have put the cloudformation in the right place. It should go in the cloudformation json in the root of the function you created in amplify. While you can setup your own role, I usually just piggy-back on the lambdaexecutionpolicy like so (notice the secrets manager entries and how they fit): I hope this helps. |
@ryanhollander thank you for your response, it worked using I'm not sure where the hashing is coming from though I'd be surprised if it was coming from amplify. Again, thanks for your help! |
@ventinus you're welcome! I'm not sure I understand this part: I am using the parameters.json file to pass the value of the secret id to the CFN template I may not completely understand what you are doing, but if it helps, all I do is add the permissions and call secretsmanager inside my lambda with the secretid (not the ARN), what is returned is a JSON object that has several bits of data in it, like this (this is actual in production code I use, but I changed the actual secret id):
|
Apologies for the lack of clarity, I'm defining the secret id in parameters.json so it lives in an easy to find place to update and I inject that parameter value as an environment variable to the lambda as well as in IAM policy. |
@ventinus oh I see now, good idea. Thanks for clarifying. |
I've got stuck with this to and found a solution that i think will work for me at least. Leveraging dynamic variables in CloudFormation: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager.
If you are like me and hate being dependant of using the AWS console to have a working app i've included a node script here for updating the secret from .env file you have locally.
|
This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs. Looking for a help forum? We recommend joining the Amplify Community Discord server |
Is your feature request related to a problem? Please describe.
I have a lambda function in my amplify project that needs access to environment variables, e.g., Stripe keys. I thought I could set them in the env vars in the AWS Amplify Console or somewhere else, but it turns out that those don’t get passed through to lambda functions.
Describe the solution you'd like
I would love to be able to expose environment variables that I set in the AWS Amplify console (or some other generalizable and secure way that avoids having them encrypted and not stored directly in my source code) to my Amplify project’s lambda functions.
Describe alternatives you've considered
For now it appears that I have to go into the AWS lambda console and set these environment variables by hand.
The text was updated successfully, but these errors were encountered: