Add secret retrieval from Amplify secret stores

- Try AWS Secrets Manager first with the Amplify secret path - Fall back to SSM Parameter Store if Secrets Manager fails - Fall back to environment variable if both fail - Write retrieved secret to .env.production for Next.js to use - Log the process but hide the actual secret value 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-06-27 16:21:03 -04:00 · 2025-06-27 16:21:03 -04:00 · 09b97c97db
commit 09b97c97db
parent 33d4a1119a
1 changed files with 34 additions and 0 deletions
--- a/amplify.yml
+++ b/amplify.yml
@ -4,6 +4,40 @@ frontend:
    preBuild:
      commands:
        - npm ci
+        - |
+          # Retrieve the secret from Amplify's secret store
+          echo "Attempting to retrieve YouTube API key from secrets..."
+          # Try to get the secret using AWS CLI
+          if command -v aws &> /dev/null; then
+            # The secret path follows the pattern: /amplify/{appId}/{branchName}/YOUTUBE_API_KEY
+            SECRET_VALUE=$(aws secretsmanager get-secret-value --secret-id /amplify/$AWS_APP_ID/$AWS_BRANCH/YOUTUBE_API_KEY --query SecretString --output text 2>/dev/null || echo "")
+            if [ ! -z "$SECRET_VALUE" ] && [ "$SECRET_VALUE" != "None" ]; then
+              echo "YOUTUBE_API_KEY=$SECRET_VALUE" >> .env.production
+              echo "Successfully retrieved secret from Secrets Manager"
+            else
+              echo "Could not retrieve secret from Secrets Manager, trying SSM..."
+              # Try SSM Parameter Store as fallback
+              SECRET_VALUE=$(aws ssm get-parameter --name /amplify/$AWS_APP_ID/$AWS_BRANCH/YOUTUBE_API_KEY --with-decryption --query Parameter.Value --output text 2>/dev/null || echo "")
+              if [ ! -z "$SECRET_VALUE" ] && [ "$SECRET_VALUE" != "None" ]; then
+                echo "YOUTUBE_API_KEY=$SECRET_VALUE" >> .env.production
+                echo "Successfully retrieved secret from SSM"
+              else
+                echo "Could not retrieve secret from SSM either"
+              fi
+            fi
+          fi
+          # Check if the secret was set via environment variable
+          if [ -z "$SECRET_VALUE" ] && [ ! -z "$YOUTUBE_API_KEY" ]; then
+            echo "YOUTUBE_API_KEY=$YOUTUBE_API_KEY" >> .env.production
+            echo "Using YOUTUBE_API_KEY from environment variable"
+          fi
+          # Show what we have
+          if [ -f .env.production ]; then
+            echo "Contents of .env.production:"
+            cat .env.production | sed 's/=.*/=***HIDDEN***/'
+          else
+            echo "No .env.production file created"
+          fi
    build:
      commands:
        - npm run build