amplify-backend
amplify-backend copied to clipboard
aws-amplify
Gen2 shared secrets wrong path/permissions
Environment information
System:
OS: Windows 11 10.0.22631
CPU: (16) x64 AMD Ryzen 7 6800H with Radeon Graphics
Memory: 6.90 GB / 31.26 GB
Binaries:
Node: 20.12.2 - C:\Program Files\nodejs\node.EXE
Yarn: 1.22.22 - C:\Program Files (x86)\Yarn\bin\yarn.CMD
npm: 10.5.0 - C:\Program Files\nodejs\npm.CMD
pnpm: 7.33.5 - ~\AppData\Local\pnpm\pnpm.EXE
NPM Packages:
@aws-amplify/backend: 1.0.3
@aws-amplify/backend-cli: 1.0.4
aws-amplify: 6.3.6
aws-cdk: Not Found
aws-cdk-lib: Not Found
typescript: 5.4.5
AWS environment variables:
AWS_NODEJS_CONNECTION_REUSE_ENABLED = 1
AWS_REGION = eu-central-1
AWS_SDK_LOAD_CONFIG = 1
AWS_STS_REGIONAL_ENDPOINTS = regional
No CDK environment variables
Description
When using a shared secret (defined for all branches but e.g. not in sandbox), from a function the lambda config ends up being wrong :S
The secret has a wrong sharedPath in AMPLIFY_SSM_ENV_CONFIG env var:
/amplify/shared/<npm package name>/SECRET_NAME
This should be:
/amplify/shared/<amplify app-id>/SECRET_NAME
At least that is the path where the secret is in SSM.
The wrong path is also specified in the IAM policy for the lambda.
End result is function fails with:
AccessDeniedException: User: arn:aws:sts::12345678:assumed-role/amplify-xxxx-functionlambdaService-5bAqBWD3Dym7/amplify-xxxxx-somelambda811610-epog9XEQtiAo is not authorized to perform: ssm:GetParameters on resource: arn:aws:ssm:eu-central-1:12345678:* because no identity-based policy allows the ssm:GetParameters action
Guessing this arises from here: https://github.com/aws-amplify/amplify-backend/blob/main/packages/backend-function/src/lambda-shims/resolve_ssm_params.ts#L60
Hi @pjoe 👋 , thanks for raising this with us. To test the configuration of secrets with functions, I followed these steps:
- Created a new Gen 2 backend using
npm create amplify@latest. - Added a function following the guide.
- Configured a secret as per the guide.
- Pushed the changes to the repository and created a new app in the Amplify console.
- Added the secret in the console using the guide.
- After deployment was completed, invoked the function and reviewed the response and environment variables.
Throughout the process, I observed that the AMPLIFY_SSM_ENV_CONFIG environment variable had the expected sharedPath key set to amplify/shared/<appid>/<secret-name>, which is the correct SSM secret path.
Can you share a screenshot of the path you observed? Additionally, it would be helpful if you could provide reproduction steps for us to investigate further.
I can unfortunately not share code as this is on a proprietary project. One thing that might make a difference is that we are using a Nx monorepo. Will try to find time to make a reproducible demo.
FWIW: here is a screenshot
NOTE: this is from a sandbox that itself does NOT have the secret configured (so it should fallback to the shared secret)
@pjoe thanks for sharing the screenshot. To ensure I understand correctly, I'd like to confirm that the sharedPath value shown is for a sandbox deployment, and not when using the pipeline-deploy command? If you have an environment deployed using the Amplify CI/CD pipeline, could you please verify the path for that environment to see if it follows the format amplify/shared/<appid>/<secret-name>?
It would be helpful to clarify this distinction between sandbox deployments and deployments made through the Amplify CI/CD pipeline, as the paths for shared resources may differ.
Closing the thread since we cannot reproduce the outlined issue and the sharedPath value for the secret is expected in case of a sandbox deployment.