Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Secrets usage is not documented properly and incredibly confusing #3966

Open
3 tasks done
taraspos opened this issue Nov 8, 2024 · 2 comments
Open
3 tasks done

Secrets usage is not documented properly and incredibly confusing #3966

taraspos opened this issue Nov 8, 2024 · 2 comments
Labels
feature-request New feature or request

Comments

@taraspos
Copy link

taraspos commented Nov 8, 2024

Before opening, please confirm:

Amplify Hosting feature

Build settings, Deployments, Environment variables, SSR

Is your feature request related to a problem? Please describe:

AWS Amplify Gen2 console has secrets section and following documentation page about how to use them:

However, it's way more confusing that it might look from the first glance.

Frontend build time secrets

  1. Documentation says that secrets created through AWS Amplify Gen2 console are stored under the /amplify/<app-id>/<branch-name>/<secret-name>:
    Screenshot 2024-11-18 at 19 10 13

    • But in reality they are stored under the under the path like /amplify/<app-id>/<branch-name>-branch-<some-unknown-id>/<secret-name>, so amplify is failing to load them in Build Time::

      2024-11-08T18:50:07.430Z [INFO]: ---- Setting Up SSM Secrets ----
      2024-11-08T18:50:07.430Z [INFO]: SSM params {"Path":"/amplify/<app_id>/main/","WithDecryption":true}
      
    • Secrets configured as "for all branches" are created under the documented location /amplify/shared/<app_id>/, but they are not being picked up during the build.

  2. Amplify Application needs IAM service role assigned permissions to do ssm: GetParametersByPath for the arn:<partition>:ssm:<region>:<account_id>:parameter/amplify/<app_id>/. Otherwise you will also see warning like [WARNING]: !Failed to set up process.env.secrets 1

  1. None of this is explained in the documentation:
    • Instead you need to follow Gen1 documentation, which is counter-intuitive, because we're using Gen2 app, right?

See this comment for additional details:

Fronted run time secrets

All above also applies to the Frontend runtime secrets, but frontend runtime doesn't support env variables and seems you need to write them to the .env file instead3, however that would expose plaintext secret values in downloaded build artifact. And seems there are no other workarounds as of yet:

  • There is no way to pass IAM role to server side:
  • import { defineAuth, secret } from '@aws-amplify/backend'; can't be used from Server Side code2

Describe how you'd like this feature to work

  1. Secrets created through AWS Amplify Gen2 console should be possible to use in build time
  2. Create proper documentation page explaining how to:
    • Access secrets in build time
    • Access secrets in SSR Runtime
    • Access secrets for backend

Footnotes

  1. https://github.com/aws-amplify/amplify-hosting/issues/3348

  2. https://github.com/aws-amplify/amplify-backend/issues/1052#issuecomment-1957733738 2

  3. https://docs.aws.amazon.com/amplify/latest/userguide/ssr-environment-variables.html

@taraspos taraspos added the feature-request New feature or request label Nov 8, 2024
Copy link

github-actions bot commented Nov 8, 2024

This has been identified as a feature request. If this feature is important to you, we strongly encourage you to give a 👍 reaction on the request. This helps us prioritize new features most important to you. Thank you!

@taraspos taraspos changed the title Secrets usage is incredibly confusing Secrets usage is not documented properly and incredible confusing Nov 8, 2024
@taraspos taraspos changed the title Secrets usage is not documented properly and incredible confusing Secrets usage is not documented properly and incredibly confusing Nov 8, 2024
@taraspos
Copy link
Author

Related issues:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature-request New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant