Prerequisites:

  • Infisical Cloud account
  • Add the secrets you wish to sync to Amplify to Infisical Cloud

There are many approaches to sync secrets stored within Infisical to AWS Amplify. This guide describes two such approaches below.

Access Infisical secrets at Amplify build time

This approach enables you to fetch secrets from Infisical during Amplify build time.

1

Create a machine identity

Create a machine identtiy and connect it to your Infisical project. You can read more about how to use machine identities here. The machine identity will allow you to authenticate and fetch secrets from Infisical.

2

Set the machine identity client ID and client secret as Amplify environment variables

  1. In the Amplify console, choose App Settings, and then select Environment variables.
  2. In the Environment variables section, select Manage variables.
  3. Under the first Variable enter INFISICAL_MACHINE_IDENTITY_CLIENT_ID, and for the value, enter the client ID of the machine identity you created in the previous step.
  4. Under the second Variable enter INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET, and for the value, enter the client secret of the machine identity you created in the previous step.
  5. Click save.
3

Install Infisical CLI to the Amplify build step

In the prebuild phase, add the command in AWS Amplify to install the Infisical CLI.

build:
  phases:
    preBuild:
      commands:
- sudo curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.rpm.sh' | sudo -E bash
- sudo yum -y install infisical
4

Modify the build command

You can now pull secrets from Infisical using the CLI and save them as a .env file. To do this, modify the build commands.

build:
  phases:
    build:
      commands:
- INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=${INFISICAL_MACHINE_IDENTITY_CLIENT_ID} --client-secret=${INFISICAL_MACHINE_IDENTITY_CLIENT_SECRET} --silent --plain)
    - infisical export --format=dotenv > .env
    - <rest of the commands>

Accessing an environment secret during a build is similar to accessing environment variables, except that environment secrets are stored in process.env.secrets as a JSON string.