Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Amplify fails build; Appears to recognize only some of my secrets?

0

In my project, Amplify only recognizes a few of my 'Secrets' I've entered in the secret manager, and thus fails during build.

Amplify Console > Hosting > Secrets

There are values in there that do appear to be recognized however. Because when I put two of my troublesome API keys in the 'Environment Variables' the application actually builds.

Specifically, my STRIPE_SECRET_KEY, and SUPABASE_SERVICE_ROLE_KEY.

// amplify.yml
version: 1
frontend:
  phases:
    preBuild:
      commands:
        - npm ci --cache .npm --prefer-offline

    build:
      commands:
         - env | grep -e NEXT_PUBLIC_SUPABASE_URL -e SMTP_HOST -e SMTP_PASS_NOREPLY -e SMTP_PORT -e SMTP_SECURE -e SMTP_USER_NOREPLY -e STRIPE_SECRET_KEY -e STRIPE_WEBHOOK_KEY -e SUPABASE_SERVICE_ROLE_KEY  >> .env.production
        - env | grep -e NEXT_PUBLIC_ >> .env.production
        - npm run build
  artifacts:
    baseDirectory: .next
    files:
      - '**/*'
  cache:
    paths:
      - .next/cache/**/*
      - .npm/**/*
customHeaders:
  - pattern: '**/*'
    headers:
      - key: 'Access-Control-Allow-Origin'
        value: '*'
      - key: 'Access-Control-Allow-Headers'
        value: 'Content-Type, Authorization'
      - key: 'Access-Control-Allow-Methods'
        value: 'GET, POST, PUT, DELETE, OPTIONS'

Here's the build log when it fails. Again, the build only works when I put those two specific API keys in 'Environment Variables'. Am I destined to put those API keys in Environment Variables instead of 'Secrets'?

0 2024-11-13T04:11:55.969Z [INFO]: # Cloning repository: git@github.com:[userName]]/[projectName].git
1 2024-11-13T04:11:57.788Z [INFO]:
2 2024-11-13T04:11:57.789Z [INFO]: Cloning into '[projectName]'...
3 2024-11-13T04:11:57.789Z [INFO]: # Switching to commit: 9021aefeaecab64cf4006fe8bf2c37bdb5a68b71
4 2024-11-13T04:11:57.816Z [INFO]: Note: switching to '9021aefeaecab64cf4006fe8bf2c37bdb5a68b71'.
5 You are in 'detached HEAD' state. You can look around, make experimental
6 changes and commit them, and you can discard any commits you make in this
7 state without impacting any branches by switching back to a branch.
8 If you want to create a new branch to retain commits you create, you may
9 do so (now or later) by using -c with the switch command. Example:
10 git switch -c <new-branch-name>
11 Or undo this operation with:
12 git switch -
13 Turn off this advice by setting config variable advice.detachedHead to false
14 HEAD is now at 9021aef Removing double y
15 2024-11-13T04:11:57.922Z [INFO]: Successfully cleaned up Git credentials
16 2024-11-13T04:11:57.923Z [INFO]: # Checking for Git submodules at: /codebuild/output/src2780602134/src/[projectName]/.gitmodules
17 2024-11-13T04:11:57.931Z [INFO]: # Retrieving environment cache...
18 2024-11-13T04:11:57.970Z [WARNING]: ! Unable to write cache: {"code":"ERR_BAD_REQUEST","message":"Request failed with status code 404"})}
19 2024-11-13T04:11:57.971Z [INFO]: ---- Setting Up SSM Secrets ----
20 2024-11-13T04:11:57.971Z [INFO]: SSM params {"Path":"/amplify/d31i6w0pihdaur/downgrade-development/","WithDecryption":true}
21 2024-11-13T04:11:59.304Z [INFO]: # No package override configuration found.
22 2024-11-13T04:11:59.389Z [INFO]: # Retrieving cache...
23 2024-11-13T04:12:08.238Z [INFO]: # Extracting cache...
24 2024-11-13T04:12:09.675Z [INFO]: # Extraction completed
25 2024-11-13T04:12:09.759Z [INFO]: # Retrieved cache
26 2024-11-13T04:12:12.377Z [INFO]: BackendEnvironment name downgrade-development for app d31i6w0pihdaur is invalid
27 2024-11-13T04:12:12.522Z [INFO]: Random environment name cyndie generated
28 2024-11-13T04:12:15.649Z [INFO]: ## Starting Backend Build
29 ## Checking for associated backend environment...
30 ## No backend environment association found, continuing...
31 ## Completed Backend Build
32 2024-11-13T04:12:15.655Z [INFO]: {"backendDuration": 0}
33 ## Starting Frontend Build
34 # Starting phase: preBuild
35 # Executing command: npm ci --cache .npm --prefer-offline
36 2024-11-13T04:12:38.571Z [WARNING]: npm WARN
37 2024-11-13T04:12:38.575Z [WARNING]: deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
38 2024-11-13T04:12:50.782Z [INFO]: added 596 packages, and audited 597 packages in 23s
39 2024-11-13T04:12:50.788Z [INFO]: 94 packages are looking for funding
40 run `npm fund` for details

I've also followed this guide as well, up to step 7. https://docs.aws.amazon.com/amplify/latest/userguide/how-to-service-role-amplify-console.html#step-3-return-to-the-amplify-console

I've followed the second half of this guide (Using Amplify Console Secrets) https://repost.aws/questions/QU-TNFloIaQA-X8FRGCay8-g/how-to-manage-secrets-for-a-nextjs-14-app-built-and-hosted-via-amplify

Notes:

  • I've checked multiple times, my API keys, to ensure they were correct
  • I've also checked the way they were spelled
  • And I've made sure that everything is building correctly, locally.
  • I'm running Next.JS 14 + Supabase + Stripe.
Topics
Front-End Web & MobileSecurity, Identity, & Compliance
Tags
AWS Secrets ManagerAWS Amplify
Language
English
asked a year ago975 views
1 Answer
-1

It appears that you're experiencing an issue with AWS Amplify recognizing only some of your secrets, which is causing build failures. This situation can be frustrating, but there are a few things to consider and potential solutions to try.

First, it's important to note that Amplify does have a system for managing both environment variables and secrets. The difference is that secrets are meant for sensitive information and are stored more securely. However, the behavior you're describing suggests there might be an issue with how the secrets are being accessed or processed during the build.

The fact that your build succeeds when you move STRIPE_SECRET_KEY and SUPABASE_SERVICE_ROLE_KEY to environment variables indicates that the issue is likely related to how secrets are being retrieved or injected into the build process.

Here are a few suggestions to troubleshoot and potentially resolve the issue:

  1. Double-check the naming convention: Ensure that the names of your secrets in the Amplify Console exactly match the names you're trying to access in your build process. Even small discrepancies can cause issues.

  2. Verify secret access: Make sure that your build process has the necessary permissions to access the secrets. This could be an IAM role issue.

  3. Use Amplify's built-in environment variable references: Instead of directly accessing secrets, try using Amplify's syntax for referencing secrets in your amplify.yml file. For example:

    build:
  commands:
    - echo "STRIPE_SECRET_KEY=${secrets.STRIPE_SECRET_KEY}" >> .env.production
    - echo "SUPABASE_SERVICE_ROLE_KEY=${secrets.SUPABASE_SERVICE_ROLE_KEY}" >> .env.production

  4. Check Amplify's documentation: Ensure you're following the most up-to-date best practices for managing secrets in Amplify. The documentation may have been updated since you last checked.

  5. Consider using AWS Systems Manager Parameter Store: If you continue to have issues with Amplify's secret management, you could store your secrets in AWS Systems Manager Parameter Store and retrieve them during the build process using the AWS CLI.

  6. Review your amplify.yml file: Make sure your build commands are correctly formatted and that you're not inadvertently overwriting or missing any environment variables.

  7. Check Amplify Console logs: Look for any error messages or warnings in the Amplify Console logs that might provide more insight into why certain secrets aren't being recognized.

If none of these solutions work, you may need to contact AWS support for further assistance. They can provide more specific guidance based on your account and configuration.

As a temporary workaround, while you're troubleshooting, you can continue using environment variables for the keys that aren't working as secrets. However, this should be a short-term solution as it's generally more secure to use the secrets management feature for sensitive information like API keys.
Sources
Environment variables and secrets - AWS Amplify Gen 2 Documentation
New in AWS Amplify: Expanded Fullstack Deployment Capabilities for Teams of All Sizes | Front-End Web & Mobile

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content