Although this solves our use case of developing with Amplify, loading your environment variables from a secret store is a great way to conveniently manage all your environments from one place.

When working with NodeJS applications, using .env is the go-to method for storing environment variables however it starts to fall down with Amplify when you have multiple lambda functions that all need a common environment, and even more so if you want to quickly switch between Amplify backend environments.

Storing your environment variables within AWS Secrets Manager is a great way to setup your backend environments once and not have to worry about it again, it also gives the added bonus of not having your secrets easily readable within the AWS Lambda console.

Setting up your environments

Let’s get started by first creating a JSON file containing the required environment variables. You can create as many environments as you like, we recommend using one environment per developer with the addition of staging and production.

Alternatively, you could create an environment per feature branch but this didn’t work for us. See more about teams environments. Note, this can also be done through the AWS console.

Create the file [ENVIRONMENT].json.

Then push the variables to AWS Secrets Manager.

We like to use a naming convention to cover:

• Project name.
• Development or production (this makes it easier for setting IAM permisions).
• Environment name.

Which ends up like this: [PROJECT]/amplify-[STAGE]/[ENVIRONMENT].

We might end up with the following secret names:

• project-name/amplify-dev/dev1
• project-name/amplify-dev/dev2
• project-name/amplify-prod/prod

The environment names above need to exactly match your Amplify environments, these can be added with the following.

Accessing AWS Secrets from NodeJS

We now need to create a helper file which will be used by each of our Lambda functions. By default Lambda will give us the region (process.env.REGION) and Amplify environment name (process.env.ENV). View as a Gist.

This function will do the following:

1. Automatically generate the secrets name based on the project and environment information.
2. Get the secret from the same backend region as the Amplify environment.
3. Inject each key value pair into process.env.

The next step is to call this code everytime your application starts. Keep in mind that this will cost $0.05/10,000 calls, if this starts to get expensive or if it adds too much latency you can always introduce Redis.

In your main function, call setSecretEnvs as early as you can.

You will now find that process.env contains all the variables from the JSON file you imported earier.

If you want to switch to a new local Amplify environment, all you need to do is run the following and the correct secrets store will be used automatically.

This worked for us to solve the problem of managing environment variables across multiple functions/developers in a set and forget fashion, it also helped to centralise and secure the variable values as an added bonus which is actually very convenient.

Alternative secret managers

If you’re not using AWS, it wouldn’t be difficult to adapt the above code to work with other providers.

• Google Secret Manager
• Azure Key Vault
• Docker Secrets