How to access the AWS Parameter Store secret variables from within amplify.yml

[vicam001]

Before opening, please confirm:

• I have checked to see if my question is addressed in the FAQ.
• I have searched for duplicate or closed issues.
• I have read the guide for submitting questions.
• I have removed any sensitive information from my code snippets and submission.

App Id

d3czcsvXXXXXXX

AWS Region

eu-west-1

Amplify Hosting feature

Build settings

Question

This relates to the issue #2466, which was closed without a proper answer to the question from @raphaelfavier :

How can I access ( within the amplify.yml file) a secret stored in AWS System Manager Parameter Store?
Some things I've tried :

echo "$secrets"

, but returns an empty string

echo "NEXTAUTH_SECRET=${secrets.NEXTAUTH_SECRET}" >> .env

but this results into a "bad substitution" error.

The AWS Amplify only show how to access environment variables, but not secret environment variables.

[AlissonRS]

I also have the same question. I'm yet to figure how to access secrets inside my Next.js app deployer via Amplify.

I tried to use Secrets Manager and adding the proper policies in the IAM role used by Amplify, but it doesn't work. So I saw the docs that suggests adding a Parameter Store on Systems Manager instead, but it doesn't work either.

[mkraenz]

Figured it out! And it only took 4 days of frustration...

It even works to get secrets during the frontend build for NextJS (i.e. not just for backend envs as the docs state)!

When you run a build, in the build step (after provision), click Cloning repository to see the corresponding logs.
It shows something like this.

2023-03-20T10:42:53.228Z [INFO]: ---- Setting Up SSM Secrets ----
2023-03-20T10:42:53.228Z [INFO]: SSM params {"Path":"/amplify/<your-app-id>/<branch-name>/","WithDecryption":true}
2023-03-20T10:42:53.343Z [INFO]: # Defaulting to Node version 16

Note the /amplify/<your-app-id>/<branch-name>/. In my case /amplify/<my redacted id>/main/. This is the base path you will need to use in SSM parameter store.

If your secrets setup is broken or non-existent, you will find one more line [WARNING]: !Failed to set up process.env.secrets in the logs.

2023-03-20T07:17:38.230Z [INFO]: ---- Setting Up SSM Secrets ----
2023-03-20T07:17:38.230Z [INFO]: SSM params {"Path":"/amplify/<your-app-id>/main/","WithDecryption":true}
2023-03-20T07:17:38.274Z [WARNING]: !Failed to set up process.env.secrets
2023-03-20T07:17:38.275Z [INFO]: # Defaulting to Node version 16

Now, with that information, let's head over to SSM parameter store.

Click Create Parameter and fill in the following:

name: /amplify/<your-app-id>/main/test2        (the base path should be same as in your build logs as shown above)
tier: Standard
type: SecureString
KMS Key: My current Account 
KMS Key ID: alias/aws/ssm      (i think this is the default key? )
value: helloworld2

Here's the one important part that I was missing.

My Amplify ServiceRole did not have access to SSM Parameter Store!

Possibly because I am using Pulumi to setup Amplify which does not autogenerate a ServiceRole for Amplify. If you use the Amplify UI for setup, it asks you whether Amplify shall create a ServiceRole for you. I have not tested whether the autogenerated role gets access to SSM Parameter Store.

Anyway, I added the following policy to the Amplify ServiceRole.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "ssm:GetParametersByPath",
                "ssm:GetParameters",
                "ssm:GetParameter",
                "ssm:DescribeParameters"
            ],
            "Resource": "*"
        }
    ]
}

Now, when I rerun a build, my logs do not show [WARNING]: !Failed to set up process.env.secrets. And indeed, echo $secrets in the build spec

# ...
    frontend:
      phases:
        preBuild:
          commands:
            - npm ci
        build:
          commands:
            - echo "Building frontend"
            - pwd
            - echo $secrets
            # ...

results in the following frontend build logs when rebuilding

# Executing command: echo $secrets
{"test2":"helloworld2"}

• Note: My full Amplify Service Role contains some more, in particular access to Cloudwatch. I can post the full policy on request.
• Note: You should not use the * wildcard in the policy but the actual path to your secrets. I just used * for testing purposes. Also one might be able to reduce to ssm:GetParameters or ssm:GetParametersByPath only.

[ghost]

Hi @vicam001 the above explanation is correct. Just to emphasize, Amplify can only access secrets under this path /amplify/{your_app_id}/{your_backend_environment_name} for that specific environment build. Please refer to our docs for more information about properly setting up environment secrets: https://docs.aws.amazon.com/amplify/latest/userguide/environment-variables.html#environment-secrets.

We will use the feedback in this issue to improve our documentation regarding this topic.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.