Closed pjoe closed 1 month ago
Hi @pjoe 👋 , thanks for raising this with us. To test the configuration of secrets with functions, I followed these steps:
npm create amplify@latest
.Throughout the process, I observed that the AMPLIFY_SSM_ENV_CONFIG
environment variable had the expected sharedPath
key set to amplify/shared/<appid>/<secret-name>
, which is the correct SSM secret path.
Can you share a screenshot of the path you observed? Additionally, it would be helpful if you could provide reproduction steps for us to investigate further.
I can unfortunately not share code as this is on a proprietary project. One thing that might make a difference is that we are using a Nx monorepo. Will try to find time to make a reproducible demo.
FWIW: here is a screenshot
NOTE: this is from a sandbox that itself does NOT have the secret configured (so it should fallback to the shared secret)
@pjoe thanks for sharing the screenshot. To ensure I understand correctly, I'd like to confirm that the sharedPath
value shown is for a sandbox deployment, and not when using the pipeline-deploy
command? If you have an environment deployed using the Amplify CI/CD pipeline, could you please verify the path for that environment to see if it follows the format amplify/shared/<appid>/<secret-name>
?
It would be helpful to clarify this distinction between sandbox deployments and deployments made through the Amplify CI/CD pipeline, as the paths for shared resources may differ.
Closing the thread since we cannot reproduce the outlined issue and the sharedPath
value for the secret is expected in case of a sandbox deployment.
Environment information
Description
When using a shared secret (defined for all branches but e.g. not in sandbox), from a function the lambda config ends up being wrong :S
The secret has a wrong
sharedPath
inAMPLIFY_SSM_ENV_CONFIG
env var:/amplify/shared/<npm package name>/SECRET_NAME
This should be:
/amplify/shared/<amplify app-id>/SECRET_NAME
At least that is the path where the secret is in SSM.
The wrong path is also specified in the IAM policy for the lambda.
End result is function fails with:
Guessing this arises from here: https://github.com/aws-amplify/amplify-backend/blob/main/packages/backend-function/src/lambda-shims/resolve_ssm_params.ts#L60