Skip to content

(gen2-migration) generate command should handle secrets in function definitions #14517

New issue
New issue
Open
Feature
Open
(gen2-migration) generate command should handle secrets in function definitions#14517
Feature
Assignees
dgandhi62
Labels
gen2-migrationp3
@iliapolo

Description

@iliapolo
iliapolo
opened on Jan 25, 2026

Is this feature request related to a new or existing Amplify category?

function

Is this related to another service?

No response

Describe the feature you'd like to request

When a function is configured with a secret in Gen1, the generate command doesn't currently convert it to the appropriate Gen2 APIs. For example, if a function is configured with a secret called MY_SECRET, we will generate:

import { defineFunction } from '@aws-amplify/backend';

const function = defineFunction({
  environment: {
    MY_SECRET: "/amplify/<hash>/main/AMPLIFY_<function-name>_MY_SECRET"
  }
})

This happens because in Gen1, the CLI will store the secret value as a SecureString SSM parameter and configure the path to this parameter as the value of the environment variable. The function itself is then responsible for fetching the secret value during runtime using the @aws-sdk/client-ssm package.

While this will continue to work in Gen2, it is not the native way Gen2 functions should handle secrets.

Describe the solution you'd like

In Gen2, the secret values are automatically fetched when the function is loaded. It is then available to the function code by accessing the corresponding env variable (i.e process.env.MY_SECRET). So, what we should generate is:

import { defineFunction, secret } from '@aws-amplify/backend';

const function = defineFunction({
  environment: {
    MY_SECRET: secret("MY_SECRET")
  }
})

Notes

  • For this to work, the MY_SECRET secret needs to be defined in the amplify console for the appropriate app. The customer is still expected to define those secrets manually prior to deployment.
  • Customers are also expected to manually change their code to start using process.env.MY_SECRET instead of fetching it explicitly from SSM.

Describe alternatives you've considered

None

Additional context

https://github.com/aws-amplify/amplify-cli/blob/gen2-migration/GEN2_MIGRATION_GUIDE.md#post-generate--function-secrets

Is this something that you'd be interested in working on?

  • 👋 I may be able to implement this feature request

Would this feature include a breaking change?

  • ⚠️ This feature might incur a breaking change

Metadata

Metadata

Assignees

Labels

gen2-migrationp3

Type

Feature

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions