Missing access key in Next.js 13 route handlers

[agazibaric]

Before opening, please confirm:

• I have checked to see if my question is addressed in the FAQ.
• I have searched for duplicate or closed issues.
• I have read the guide for submitting questions.
• I have removed any sensitive information from my code snippets and submission.

App Id

d1e9ukt9805kdz

AWS Region

us-west-1

Amplify Hosting feature

Environment variables, Service role

Question

I am facing an issue when attempting to access AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY within a Next.js 13.4.12 with App Router. I'm trying to perform a server-side call to AWS SES inside of Route Handlers. Here's the sample code:

// src/app/api/route.ts

Amplify.configure({ ...awsmobile, ssr: true });

const ses = new aws.SES({
  credentials: {
    accessKeyId: process.env.AWS_ACCESS_KEY_ID,
    secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
  },
});

export async function POST(request: Request) {
// send email via ses
}

Both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are undefined. I have attached the right SES permissions to the service role of the aws amplify app.

I expect that the Route Handlers assume the role of the service which will provide those credentials inside of env.

How can I obtain those credentials without setting them manually in the build step?

[Jay2113]

Hi @agazibaric 👋 , thanks for raising this!

Have you made the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables accessible to the server-side compute runtime: https://docs.aws.amazon.com/amplify/latest/userguide/ssr-environment-variables.html?

Your build specification file amplify.yml should look something like:

version: 1
frontend:
  phases:
    preBuild:
      commands:
        - npm ci
    build:
      commands:
        - env | grep -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY >> .env.production
        - npm run build
  artifacts:
    baseDirectory: .next
    files:
      - '**/*'
  cache:
    paths:
      - node_modules/**/*
      - .next/cache/**/*

[agazibaric]

Hi @Jay2113 , thank you for the answer!

I've tried adding those variables to the build step as you described, but unfortunately, they don't seem to be present there. I've cat the .env.production file and the secrets are missing.

As a potential workaround I could generate access keys and add them to the AWS Amplify Environment as ACCESS_KEY_ID and SECRET_ACCESS_KEY (without the AWS_ prefix, as it's reserved by Amplify).
By exposing these keys in the build step, I can retrieve them on the server side using the following configuration:

version: 1
frontend:
  phases:
    preBuild:
      commands:
        - npm ci
    build:
      commands:
        - env | grep -e ACCESS_KEY_ID -e SECRET_ACCESS_KEY >> .env.production
        - npm run build
  artifacts:
    baseDirectory: .next
    files:
      - '**/*'
  cache:
    paths:
      - node_modules/**/*
      - .next/cache/**/*

However, my goal is to find a solution that doesn't require manual setup of these secrets.

[Jay2113]

@agazibaric 👋 , currently we do not support the functionality of executing server side requests to other AWS services using IAM permissions. We are tracking this as a feature request here #3205. I'll recommend subscribing to it to track updates. Thanks!

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

[github-actions]

This issue has been automatically locked.