How to access secrets in the nodeJS back end code (AWS Amplify Gen 2)?

[swbergmann]

Environment information

I am using NextJS with Amplify Gen 2 and
- created nextjs application via npx create-next-app myapp
- installed all amplify packages via npm create amplify@latest -y
- started the amplify sandbox via npx ampx sandbox
- set two secrets in the AWS Amplify website: Hosting / Secrets (to be used for all branches)

Nothing special about my environment.

Describe the bug

If the application runs locally the access of the secrets works because they are stored in a local .env file.
If I hard code the secrets into the application code, it works locally as well as hosted on AWS Amplify Gen 2 (via the deployed URL).

The only scenario that does NOT work is to access the secrets in the application hosted on AWS Amplify Gen 2 (via the deployed URL) from the contact.ts file as shown in the screenshot. Please provide concrete information on how to access the secrets in a running production application using Amplify Gen 2. What concrete setup of files and content is necessary?

Reproduction steps

Reproduction steps:
In my application I want to access the secrets created in the AWS Amplify website:

In your current (01/01/2025) official documentation - Access secrets there is NO example of how to access a secret from any other function than "defineAuth". However I am not using "defineAuth".

In another bug report () someone wrote that "defineFunction" should be used, so I followed your documentation - Set up a function as described in my screenshots, but still it was not possible to access the secrets in my application code.

resource.ts file with entry point. Apparently only within "defineFunction" the secret() works to access the secret.

handler.ts file, code is copied directly from your documentation (Set up a function). I have no idea what "function code" should be here - according to your documentation there should be some code.

backend.ts file, I added the "loadSecrets" to this file, as documented in "Set up a function".

This is the back end API where I need to use the secrets i.e. line #5 and #6

[Orf1]

After passing them in as environment variables in resource.ts

import {defineFunction, secret} from '@aws-amplify/backend';

export const preSignUp = defineFunction({
  name: 'pre-sign-up',
  entry: "./handler.ts",
  environment: {
    SECRET_VARIABLE: secret('SECRET_VARIABLE'),
  },
});

You should be able to access them within handler.ts using:

import { env } from "$amplify/env/pre-sign-up";

const SECRET_VARIABLE = env.SECRET_VARIABLE;

[swbergmann]

Hello @Orf1 Thank you for your comment, I appreciate you answered in code!
Here is what I did:

As you suggested, I updated my files.
amplify/functions/secrets/resource.ts

amplify/functions/secrets/handler.ts

In addition, based on this documentation - Set up a Function I added my "loadSecrets" also to the
amplify/backend.ts

Question 1: Is the above code correct or should I remove/change anything?
Question 2: How can I access/use the value from the secret now on line#16 in the file
pages/api/contacts.ts

Question 3: Is it even possible to access the secret outside of the amplify/ directory (and how)?

Thank you for your help!

[Jay2113]

Hi @swbergmann 👋 , thanks for reaching out. Based on the description, it seems you are trying to access secrets stored in the AWS Systems Manager Parameter Store within your Next.js API routes. This functionality is currently not supported, but we are actively working on a project to address this use case.

In the interim, I recommend using environment variables as a workaround and passing them to the compute runtime. Ref. I suggest subscribing to this issue thread to receive updates on the feature's progress: aws-amplify/amplify-hosting#3205

[makalkin]

Hope we can have this working without jumping hoops to pass a secret as an env variable like any other platform would allow you to do for both build and runtime. Dealing with secrets has been frustrating and documentation was of little help.