amplify-cli icon indicating copy to clipboard operation
amplify-cli copied to clipboard

Published 20 hours ago verified publisher icon aws-amplify

It would be great for Amplify CLI functions to support shared secrets

Open patrickcze opened this issue 2 years ago • 1 comments

Is this feature request related to a new or existing Amplify category?

function

Is this related to another service?

No response

Describe the feature you'd like to request

Currently amplify functions allows you to create secrets and environment variables which is very useful. However there are certain values that need to be reused between functions (ex: External Client Ids, External Secrets, etc.). Currently these need to be configured for each function.

Describe the solution you'd like

I would love to have the ability to import an existing secret from an existing function to a new function I am creating.

Describe alternatives you've considered

Currently the only option is to create copies of the same secret for every function, im looking into a custom cdk alternative as well at the moment.

Additional context

No response

Is this something that you'd be interested in working on?

  • [ ] 👋 I may be able to implement this feature request

Would this feature include a breaking change?

  • [ ] ⚠️ This feature might incur a breaking change

patrickcze avatar Mar 01 '22 04:03 patrickcze

Hey @patrickcze :wave: thanks for raising this! I've marked this as a feature request for the team to evaluate further 🙂

As a workaround, we can grant access to SSM by leveraging the function's custom-policies.json https://github.com/josefaidt/amplify-discord-bots/blob/next/amplify/backend/function/discordcommands/custom-policies.json

josefaidt avatar Mar 01 '22 23:03 josefaidt

As a workaround, we can grant access to SSM by leveraging the function's custom-policies.json https://github.com/josefaidt/amplify-discord-bots/blob/next/amplify/backend/function/discordcommands/custom-policies.json

Hey @josefaidt sorry to bother, do you have another example you could share of custom-policies.json? That link seems to be dead

renschler avatar Jan 10 '23 09:01 renschler

I second this request

jtweeks avatar Jun 02 '23 13:06 jtweeks

Much needed. Shared secrets and also shared env vars

wvidana avatar Jun 07 '23 15:06 wvidana

Hey @wvidana @jtweeks @renschler ,

following is the functions custom-policies.json example to grant access to SSM.

[
  {
    "Action": ["ssm:GetParameters"],
    "Resource": [
      "arn:aws:ssm:us-east-1:*:parameter/amplify/amplifydiscordbot/${env}/*"
    ]
  }
]

Ref: https://github.com/aws-amplify/discord-bot/blob/10549c302a9588c911743180e21ed50f2c025fea/amplify/backend/function/discordcommands/custom-policies.json

ykethan avatar Jun 19 '23 18:06 ykethan

@ykethan the shared snippet authorizes ssm:GetParameters which is good. But the lambda function still doesn't have access to the env var that contains the name of the ssm parameter that has to be retrieved. When a secret value is added to a function with the CLI, the lambda function is run with a variable with the configured name, so I can get in my code /amplify/app_id/dev/AMPLIFY_MyFunction_MySecret. This is not being handled by that custom-policies.json snippet

Mr-Raian avatar Jun 20 '23 00:06 Mr-Raian

plus: there is a rate limit for accessing SSM parameters. For example: there are 100 functions that are called at the same time and they all require external db access.

nam-truong-le avatar Jul 07 '23 11:07 nam-truong-le