From 09b97c97dbd74cee9bc0968537b07f9ad9030097 Mon Sep 17 00:00:00 2001
From: Derek Slenk <derek.slenk@gmail.com>
Date: Fri, 27 Jun 2025 16:21:03 -0400
Subject: [PATCH] Add secret retrieval from Amplify secret stores
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Try AWS Secrets Manager first with the Amplify secret path
- Fall back to SSM Parameter Store if Secrets Manager fails
- Fall back to environment variable if both fail
- Write retrieved secret to .env.production for Next.js to use
- Log the process but hide the actual secret value

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 amplify.yml | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/amplify.yml b/amplify.yml
index 2a60607..06f343d 100644
--- a/amplify.yml
+++ b/amplify.yml
@@ -4,6 +4,40 @@ frontend:
     preBuild:
       commands:
         - npm ci
+        - |
+          # Retrieve the secret from Amplify's secret store
+          echo "Attempting to retrieve YouTube API key from secrets..."
+          # Try to get the secret using AWS CLI
+          if command -v aws &> /dev/null; then
+            # The secret path follows the pattern: /amplify/{appId}/{branchName}/YOUTUBE_API_KEY
+            SECRET_VALUE=$(aws secretsmanager get-secret-value --secret-id /amplify/$AWS_APP_ID/$AWS_BRANCH/YOUTUBE_API_KEY --query SecretString --output text 2>/dev/null || echo "")
+            if [ ! -z "$SECRET_VALUE" ] && [ "$SECRET_VALUE" != "None" ]; then
+              echo "YOUTUBE_API_KEY=$SECRET_VALUE" >> .env.production
+              echo "Successfully retrieved secret from Secrets Manager"
+            else
+              echo "Could not retrieve secret from Secrets Manager, trying SSM..."
+              # Try SSM Parameter Store as fallback
+              SECRET_VALUE=$(aws ssm get-parameter --name /amplify/$AWS_APP_ID/$AWS_BRANCH/YOUTUBE_API_KEY --with-decryption --query Parameter.Value --output text 2>/dev/null || echo "")
+              if [ ! -z "$SECRET_VALUE" ] && [ "$SECRET_VALUE" != "None" ]; then
+                echo "YOUTUBE_API_KEY=$SECRET_VALUE" >> .env.production
+                echo "Successfully retrieved secret from SSM"
+              else
+                echo "Could not retrieve secret from SSM either"
+              fi
+            fi
+          fi
+          # Check if the secret was set via environment variable
+          if [ -z "$SECRET_VALUE" ] && [ ! -z "$YOUTUBE_API_KEY" ]; then
+            echo "YOUTUBE_API_KEY=$YOUTUBE_API_KEY" >> .env.production
+            echo "Using YOUTUBE_API_KEY from environment variable"
+          fi
+          # Show what we have
+          if [ -f .env.production ]; then
+            echo "Contents of .env.production:"
+            cat .env.production | sed 's/=.*/=***HIDDEN***/'
+          else
+            echo "No .env.production file created"
+          fi
     build:
       commands:
         - npm run build