AWS Amplify
Learn how to sync secrets from Hanzo KMS to AWS Amplify.
Prerequisites:
- Hanzo KMS Cloud account
- Add the secrets you wish to sync to Amplify to Hanzo KMS Cloud
There are many approaches to sync secrets stored within Hanzo KMS to AWS Amplify. This guide describes two such approaches below.
Access Hanzo KMS secrets at Amplify build time
This approach enables you to fetch secrets from Hanzo KMS during Amplify build time.
Create a machine identity and connect it to your Hanzo KMS project. You can read more about how to use machine identities here. The machine identity will allow you to authenticate and fetch secrets from Hanzo KMS.
- In the Amplify console, choose App Settings, and then select Environment variables.
- In the Environment variables section, select Manage variables.
- Under the first Variable enter
INFISICAL_MACHINE_IDENTITY_CLIENT_ID, and for the value, enter the client ID of the machine identity you created in the previous step. - Under the second Variable enter
INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET, and for the value, enter the client secret of the machine identity you created in the previous step. - Click save.
In the prebuild phase, add the command in AWS Amplify to install the KMS CLI.
build:
phases:
preBuild:
commands:
- sudo curl -1sLf 'https://artifacts-cli.kms.hanzo.ai/setup.rpm.sh' | sudo -E bash
- sudo yum -y install kmsYou can now pull secrets from Hanzo KMS using the CLI and save them as a .env file. To do this, modify the build commands.
build:
phases:
build:
commands:
- INFISICAL_TOKEN=$(kms login --method=universal-auth --client-id=${INFISICAL_MACHINE_IDENTITY_CLIENT_ID} --client-secret=${INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET} --silent --plain)
- kms export --format=dotenv > .env
- <rest of the commands>Go to your project settings in the Hanzo KMS dashboard to generate a service token. This service token will allow you to authenticate and fetch secrets from Hanzo KMS. Once you have created a service token with the required permissions, you’ll need to provide the token to the CLI installed in your Docker container.
- In the Amplify console, choose App Settings, and then select Environment variables.
- In the Environment variables section, select Manage variables.
- Under Variable, enter the key INFISICAL_TOKEN. For the value, enter the generated service token from the previous step.
- Click save.
In the prebuild phase, add the command in AWS Amplify to install the KMS CLI.
build:
phases:
preBuild:
commands:
- sudo curl -1sLf 'https://artifacts-cli.kms.hanzo.ai/setup.rpm.sh' | sudo -E bash
- sudo yum -y install kmsYou can now pull secrets from Hanzo KMS using the CLI and save them as a .env file. To do this, modify the build commands.
build:
phases:
build:
commands:
- INFISICAL_TOKEN=${INFISICAL_TOKEN}
- kms export --format=dotenv > .env
- <rest of the commands>Sync Secrets Using AWS SSM Parameter Store
Another approach to use secrets from Hanzo KMS in AWS Amplify is to utilize AWS Parameter Store. At high level, you begin by using Hanzo KMS's AWS SSM Parameter Store integration to sync secrets from Hanzo KMS to AWS SSM Parameter Store. You then instruct AWS Amplify to consume those secrets from AWS SSM Parameter Store as environment secrets.
Follow the Hanzo KMS AWS SSM Parameter Store Secret Syncs Guide to set up the integration. Pause once you reach the step where it asks you to select the path you would like to sync.
- Open your AWS Amplify App console.
- Go to Actions >> View App Settings
- The App ID will be the last part of the App ARN field after the slash.
You need to set the path in the format /amplify/[amplify_app_id]/[your-amplify-environment-name] as the path option in AWS SSM Parameter Hanzo KMS Integration.
Accessing an environment secret during a build is similar to accessing
environment variables, except that environment secrets are stored in
process.env.secrets as a JSON string.
How is this guide?
Last updated on