amplify-hosting icon indicating copy to clipboard operation
amplify-hosting copied to clipboard
verified publisher icon aws-amplify

How to access secrets in the nodeJS back end code (AWS Amplify Gen 2)?

Open swbergmann opened this issue 11 months ago • 6 comments

Environment information

I am using NextJS with Amplify Gen 2 and
- created nextjs application via npx create-next-app myapp
- installed all amplify packages via npm create amplify@latest -y
- started the amplify sandbox via npx ampx sandbox
- set two secrets in the AWS Amplify website: Hosting / Secrets (to be used for all branches)

Nothing special about my environment.

Describe the bug

If the application runs locally the access of the secrets works because they are stored in a local .env file. If I hard code the secrets into the application code, it works locally as well as hosted on AWS Amplify Gen 2 (via the deployed URL).

The only scenario that does NOT work is to access the secrets in the application hosted on AWS Amplify Gen 2 (via the deployed URL) from the contact.ts file as shown in the screenshot. Please provide concrete information on how to access the secrets in a running production application using Amplify Gen 2. What concrete setup of files and content is necessary?

Reproduction steps

Reproduction steps: In my application I want to access the secrets created in the AWS Amplify website: Screenshot 2025-01-01 at 23 53 09

In your current (01/01/2025) official documentation - Access secrets there is NO example of how to access a secret from any other function than "defineAuth". However I am not using "defineAuth".

In another bug report () someone wrote that "defineFunction" should be used, so I followed your documentation - Set up a function as described in my screenshots, but still it was not possible to access the secrets in my application code.

resource.ts file with entry point. Apparently only within "defineFunction" the secret() works to access the secret. Screenshot 2025-01-02 at 00 02 36

handler.ts file, code is copied directly from your documentation (Set up a function). I have no idea what "function code" should be here - according to your documentation there should be some code. Screenshot 2025-01-02 at 00 02 53

backend.ts file, I added the "loadSecrets" to this file, as documented in "Set up a function". Screenshot 2025-01-02 at 00 03 05

This is the back end API where I need to use the secrets i.e. line #5 and #6 Screenshot 2025-01-02 at 00 11 14

swbergmann avatar Jan 01 '25 23:01 swbergmann

After passing them in as environment variables in resource.ts

import {defineFunction, secret} from '@aws-amplify/backend';

export const preSignUp = defineFunction({
  name: 'pre-sign-up',
  entry: "./handler.ts",
  environment: {
    SECRET_VARIABLE: secret('SECRET_VARIABLE'),
  },
});

You should be able to access them within handler.ts using:

import { env } from "$amplify/env/pre-sign-up";

const SECRET_VARIABLE = env.SECRET_VARIABLE;

Orf1 avatar Jan 02 '25 01:01 Orf1

Hello @Orf1 Thank you for your comment, I appreciate you answered in code! Here is what I did:

As you suggested, I updated my files. amplify/functions/secrets/resource.ts Screenshot 2025-01-02 at 20 22 57

amplify/functions/secrets/handler.ts Screenshot 2025-01-02 at 20 22 08

In addition, based on this documentation - Set up a Function I added my "loadSecrets" also to the amplify/backend.ts Screenshot 2025-01-02 at 20 37 05

Question 1: Is the above code correct or should I remove/change anything? Question 2: How can I access/use the value from the secret now on line#16 in the file pages/api/contacts.ts Screenshot 2025-01-02 at 20 38 49

Question 3: Is it even possible to access the secret outside of the amplify/ directory (and how)?

Thank you for your help!

swbergmann avatar Jan 02 '25 19:01 swbergmann

Hi @swbergmann 👋 , thanks for reaching out. Based on the description, it seems you are trying to access secrets stored in the AWS Systems Manager Parameter Store within your Next.js API routes. This functionality is currently not supported, but we are actively working on a project to address this use case.

In the interim, I recommend using environment variables as a workaround and passing them to the compute runtime. Ref. I suggest subscribing to this issue thread to receive updates on the feature's progress: https://github.com/aws-amplify/amplify-hosting/issues/3205

Jay2113 avatar Jan 06 '25 16:01 Jay2113

Hope we can have this working without jumping hoops to pass a secret as an env variable like any other platform would allow you to do for both build and runtime. Dealing with secrets has been frustrating and documentation was of little help.

makalkin avatar Jan 17 '25 20:01 makalkin

@Jay2113 Can you clarify if the recently resolved https://github.com/aws-amplify/amplify-hosting/issues/3205 solves this issue, and if so, how can it be achieved? Maybe you can provide a practical example?

mloenow avatar Feb 18 '25 20:02 mloenow