-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to access the AWS Parameter Store secret variables from within amplify.yml #3348
Comments
I also have the same question. I'm yet to figure how to access secrets inside my Next.js app deployer via Amplify. I tried to use Secrets Manager and adding the proper policies in the IAM role used by Amplify, but it doesn't work. So I saw the docs that suggests adding a Parameter Store on Systems Manager instead, but it doesn't work either. |
Figured it out! And it only took 4 days of frustration... It even works to get secrets during the frontend build for NextJS (i.e. not just for backend envs as the docs state)! When you run a build, in the
Note the If your secrets setup is broken or non-existent, you will find one more line
Now, with that information, let's head over to SSM parameter store. Click
Here's the one important part that I was missing. My Amplify ServiceRole did not have access to SSM Parameter Store! Possibly because I am using Pulumi to setup Amplify which does not autogenerate a ServiceRole for Amplify. If you use the Amplify UI for setup, it asks you whether Amplify shall create a ServiceRole for you. I have not tested whether the autogenerated role gets access to SSM Parameter Store. Anyway, I added the following policy to the Amplify ServiceRole. {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"ssm:GetParametersByPath",
"ssm:GetParameters",
"ssm:GetParameter",
"ssm:DescribeParameters"
],
"Resource": "*"
}
]
} Now, when I rerun a build, my logs do not show # ...
frontend:
phases:
preBuild:
commands:
- npm ci
build:
commands:
- echo "Building frontend"
- pwd
- echo $secrets
# ... results in the following frontend build logs when rebuilding
|
Hi @vicam001 the above explanation is correct. Just to emphasize, Amplify can only access secrets under this path We will use the feedback in this issue to improve our documentation regarding this topic. |
|
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Before opening, please confirm:
App Id
d3czcsvXXXXXXX
AWS Region
eu-west-1
Amplify Hosting feature
Build settings
Question
This relates to the issue #2466, which was closed without a proper answer to the question from @raphaelfavier :
How can I access ( within the amplify.yml file) a secret stored in AWS System Manager Parameter Store?
Some things I've tried :
, but returns an empty string
but this results into a "bad substitution" error.
The AWS Amplify only show how to access environment variables, but not secret environment variables.
The text was updated successfully, but these errors were encountered: