update sandbox secret management (#7108)

edwardfoyle · josefaidt · Jacob Logan · commit 6e1dccb6bd24 · 2024-04-30T12:58:43.000-07:00
* update sandbox secret management

* Update src/pages/gen2/deploy-and-host/sandbox-environments/features/index.mdx

* Update src/pages/gen2/deploy-and-host/sandbox-environments/features/index.mdx

* Update src/pages/gen2/deploy-and-host/sandbox-environments/features/index.mdx

* Update src/pages/gen2/deploy-and-host/sandbox-environments/features/index.mdx

* Update src/pages/gen2/deploy-and-host/sandbox-environments/features/index.mdx

---------

Co-authored-by: josef &lt;josef.aidt@gmail.com&gt;
diff --git a/src/pages/[platform]/deploy-and-host/sandbox-environments/features/index.mdx b/src/pages/[platform]/deploy-and-host/sandbox-environments/features/index.mdx
@@ -35,28 +35,68 @@ Sandbox environments include additional features for managing secrets, deploying
 ## Secure secrets in your sandbox
 
 <Callout info>
+
   Secrets set in a sandbox do not show up in the Amplify Console. You can view them in the AWS Systems Manager (SSM) Parameter Store console.
+  
 </Callout>
 
-Amplify Gen 2 offers secure secret storage to manage sensitive data like API keys and database credentials. Secrets are similar to environment variables, but they are encrypted AWS Systems Manager Parameter Store key value pairs. Secrets are stored in AWS Parameter Store with the following naming convention: `/amplify/<package.json#name>/<sandbox-name>/<key-name>`.
+Amplify Gen 2 offers secure secret storage to manage sensitive data like API keys and database credentials. Secrets are similar to environment variables, but they are encrypted AWS Systems Manager Parameter Store key value pairs. Secrets are stored in AWS Parameter Store under the `/amplify` prefix.
 
 ### Set secrets
 
-You can add secrets while running your cloud sandbox with the following command:
+You can add secrets to your sandbox environment using the following command:
 
-```bash title="Terminal" showLineNumbers={false}
+```bash
 npx amplify sandbox secret set foo
 ? Enter secret value: ###
 Done!
 
-> npx amplify sandbox secret set bar
+npx amplify sandbox secret set bar
 ? Enter secret value: ###
 Done!
 ```
 
-### Access secrets
+After these commands, your sandbox will have two secrets named `foo` and `bar`.
+
+### List secrets
+
+You can list all of the secret names available in your sandbox environment with the following command:
+
+```bash
+npx amplify sandbox secret list
+ - foo
+ - bar
+```
+
+### Retrieve a secret
+
+<Callout warning>
+
+**Note:** This will print a secret value in plain text to the terminal. Do not use this command anywhere that terminal logs may be stored (such as CI/CD jobs).
+
+</Callout>
+
+To show the value of a secret, run the following command.
+
+```bash
+npx amplify sandbox secret get foo
+name: foo
+version: 1
+value: abc123
+lastUpdated: Mon Nov 13 2023 22:19:12 GMT-0800 (Pacific Standard Time)
+```
+
+### Remove secrets
+
+To remove a secret from from the sandbox, run the following command in your terminal:
+
+```bash
+npx amplify sandbox secret remove foo
+```
+
+### Reference secrets
 
-Once you have set a secret, you can access the values in code by calling the `secret()` function. The following example shows how to set up social sign-in with authentication in your app. Depending on your environment, Amplify will automatically load the correct secret value with no extra configuration.
+Once you have set a secret, you can reference the secret in your backend definition using the `secret()` function. The following example shows how to set up social sign-in with authentication in your app. Depending on your environment, Amplify will automatically load the correct secret value.
 
 ```ts
 import { defineAuth, secret } from '@aws-amplify/backend';
@@ -76,184 +116,91 @@ export const auth = defineAuth({
 });
 ```
 
-### Retrieve secrets
+The `secret()` function does NOT retrieve the value of the secret. It places a reference to the secret value in the backend definition. The secret value is only resolved during deployment of your backend.
 
-To get the value of a secret from the cloud, run the following command in your terminal:
-
-```bash title="Terminal" showLineNumbers={false}
-npx amplify sandbox secret get foo
- name: foo
- version: 1
- value: 123
- lastUpdated: Mon Nov 13 2023 22:19:12 GMT-0800 (Pacific Standard Time)
-```
+The `secret()` function can only be used in specific places in your backend definition such as [configuring auth providers](/gen2/build-a-backend/auth/add-social-provider/#configure-social-sign-in-backend) and [granting function secret access](/gen2/build-a-backend/functions/#secret-access).
 
-### Remove secrets
+<Callout info>
 
-To remove a secret from the cloud, run the following command in your terminal:
+To deploy a backend that uses `secret()` references via Amplify hosting, the secret values must be [configured for the Amplify app or branch](/gen2/deploy-and-host/fullstack-branching/secrets-and-vars)
 
-```bash title="Terminal" showLineNumbers={false}
-npx amplify sandbox secret remove foo
-```
+</Callout>
 
-### Work with multiple AWS profiles
+## Work with multiple AWS profiles
 
-Sometimes you might have multiple AWS profiles set up locally. To run `amplify sandbox secret` commands, use the `--profile` flag to deploy to a specific profile. For example, let's say you have two AWS profiles set up locally—`default` and `work`. To add secrets to the `work` profile, run the following command in your terminal:
+Sometimes you might have multiple AWS profiles set up locally. To run `amplify sandbox secret` commands, use the `--profile` flag to deploy to a specific profile. For example, let's say you have two AWS profiles set up locally—`default` and `work`. To add secrets to the sandbox in the `work` profile, run the following command in your terminal:
 
-```bash title="Terminal" showLineNumbers={false}
+```bash
 npx amplify sandbox secret set foo --profile work
 ```
 
-## Multiple sandboxes per app
+## Work with multiple named sandboxes
 
 <Callout info>
-  Provisioning multiple sandboxes per app is possible but not recommended because managing multiple ephemeral environments for a single app introduces complexity. With multiple sandboxes, it can be difficult to keep track of what code version or configuration is deployed where. Sticking to a single ephemeral sandbox per app keeps your workflows simple and straightforward.
-</Callout>
 
-You can create multiple cloud sandbox environments for each app if you want to keep persistent sandbox environments up and running to test against. First, run the following command in the terminal:
+Provisioning multiple sandboxes per app is possible but not recommended because managing multiple ephemeral environments for a single developer introduces complexity. With multiple sandboxes, it can be difficult to keep track of what code version or configuration is deployed where. Sticking to a single sandbox per developer keeps your workflows simpler.
 
-```bash title="Terminal" showLineNumbers={false}
-npx amplify sandbox --name s1
-```
+</Callout>
 
-Once the deployment completes, exit sandbox `s1` and run the following command in the terminal:
+You can create multiple sandboxes if you want to have different features or test environments available in different sandboxes. By default, your sandbox is named based on the local machine username. To override this name, use the `--identifier` option:
 
-```bash title="Terminal" showLineNumbers={false}
-npx amplify sandbox --name s2
+```bash
+npx amplify sandbox --identifier feature1sandbox
 ```
 
-After successful deployment, sandboxes `s1` and `s2` will be ready. Pick sandbox `s1` or `s2` to activate. You can switch between them but only one can be running at a time.
-
-## Generate client config
+This will start a sandbox named `feature1sandbox`.
 
-The client config (e.g. `amplifyconfiguration.json` file for Web) contains the configuration strings for interacting with AWS resources specific to an environment. The Amplify client libraries need the client config file in order to use the library APIs to connect to backend resources. By default, the cloud sandbox generates the client configuration file at the root of the project (such as `@/amplifyconfiguration.json`). If you want to place the file at a different path you can use the following command template:
+Once the deployment completes, exit sandbox and run the following command in the terminal:
 
-```bash title="Terminal" showLineNumbers={false}
-npx amplify sandbox --config-out-dir path/to/config --config-format ["mjs", "json", "json-mobile", "ts", "dart"]
+```bash
+npx amplify sandbox --identifier feature2sandbox
 ```
 
-### Sandbox Environment
+After successful deployment, you will have two sandboxes `feature1sandbox` and `feature2sandbox`. You can switch between them but only one can be running at a time.
 
-For Web and React Native, generating the client in the root of the project would work, but all the other platforms have specific directories to target.
+### Secret management with named sandboxes
 
-<InlineFilter filters={['angular','javascript','nextjs','react','react-native','swift','vue']}>
-```bash title="Terminal" showLineNumbers={false}
-npx amplify sandbox
-```
-</InlineFilter>
+When working with multiple sandboxes, secrets must be configured for each one. All of the `sandbox secret` commands accept the `--identifier` argument to manage secrets for named sandboxes. For example, to add a secret to `feature1sandbox`, use:
 
-<InlineFilter filters={['flutter']}>
-```bash title="Terminal" showLineNumbers={false}
-npx amplify sandbox --config-format dart --config-out-dir lib
+```bash
+npx amplify sandbox --identifier feature1sandbox secret set baz
 ```
-</InlineFilter>
-<InlineFilter filters={['android']}>
-<Callout warning>
-  Be sure to add a "raw" folder under app/src/main/res directory if it doesn't
-  exist.
-</Callout>
 
-```bash title="Terminal" showLineNumbers={false}
-npx amplify sandbox --config-format json-mobile --config-out-dir app/src/main/res/raw
-```
-</InlineFilter>
+## Generate client config
 
-<InlineFilter filters={['swift']}>
+The client config, or `amplifyconfiguration.json` file, contains the configuration strings for interacting with AWS resources specific to an environment. The Amplify client libraries need the client config in order to use the library APIs to connect to backend resources. By default, the cloud sandbox generates the client configuration file at the root of the project (such as `@/amplifyconfiguration.json`). If you want to place the file at a different path (such as for a monorepo or Android app), run the following command in the terminal:
 
-```bash title="Terminal" showLineNumbers={false}
-npx amplify sandbox --config-format json-mobile
+```bash
+npx amplify sandbox --config-out-dir ./path/to/config --format ["mjs", "json", "json-mobile", "ts", "dart"]
 ```
 
-Once the sandbox environment is running, you would also generate the configuration files for your application. However, Xcode won't be able to recognize them. For recognizing the files, you need to drag and drop the generated files to your project.
+Alternatively, if you want to generate the config for a branch environment to test against, run the following command in the terminal.
 
-<video autoPlay={true} muted={true} loop={true} width="100%" playsInline={true}>
-  <source src="/images/gen2/getting-started/ios/ios-getting-started-2.mp4" />
-</video>
-</InlineFilter>
-
-### Deployment Environment
-
-Alternatively, if you want to generate the config for a branch environment to test against, you can run the following command below in the terminal:
-
-<InlineFilter filters={['android','angular','flutter','javascript','nextjs','react','react-native','swift','vue']}>
-For Web and React Native, generating the config with the default format and output directory.
-
-```bash title="Terminal" showLineNumbers={false}
-npx amplify generate config --app-id <app-id> --branch main
+```bash
+npx amplify generate config --app-id <AMPLIFY_APP_ID> --branch main --format ["mjs", "json", "json-mobile", "ts", "dart"] out-dir ./path/to/config
 ```
-</InlineFilter>
-<InlineFilter filters={['flutter']}>
-```bash title="Terminal" showLineNumbers={false}
-npx amplify generate config --app-id <app-id> --branch main --format dart --out-dir lib
-```
-</InlineFilter>
-<InlineFilter filters={['android']}>
-<Callout warning>
-  Be sure to add a "raw" folder under app/src/main/res directory if it doesn't
-  exist.
-</Callout>
-
-```bash title="Terminal" showLineNumbers={false}
-npx amplify generate config --app-id <app-id> --branch main --format json-mobile --out-dir app/src/main/res/raw
-```
-</InlineFilter>
-<InlineFilter filters={['swift']}>
-
-```bash title="Terminal" showLineNumbers={false}
-npx amplify generate config --app-id <app-id> --format json-mobile
-```
-
-Once the sandbox environment is running, you would also generate the configuration files for your application. However, Xcode won't be able to recognize them. For recognizing the files, you need to drag and drop the generated files to your project.
-
-<video autoPlay={true} muted={true} loop={true} width="100%" playsInline={true}>
-  <source src="/images/gen2/getting-started/ios/ios-getting-started-2.mp4" />
-</video>
-
-</InlineFilter>
 
 ## Generate client codegen
 
 <Callout info>
-  Amplify Gen 2 introduces a fully typed experience for data that no longer requires an explicit codegen step, unlike in Amplify Gen 1. You will only need this command if you are building a mobile app or have Gen 1 requirements.
+
+Amplify Gen 2 introduces a fully typed experience for data that no longer requires an explicit codegen step, unlike in Amplify Gen 1. You will only need this command if you are building a mobile app or have Gen 1 requirements.
+
 </Callout>
 
 Codegen generates native code for Swift (iOS), Java (Android), and JavaScript that represents your GraphQL API's data models. It can also generate GraphQL statements (queries, mutations, and subscriptions) so that you don't have to manually code them.
 
-```bash title="Terminal" showLineNumbers={false}
-npx amplify generate graphql-client-code --format [choices: "modelgen", "graphql-codegen", "introspection"]
-```
-
 Once your sandbox completes a deployment, you can run the following command in the terminal to generate client code that is specific to your needs:
 
-<InlineFilter filters={['angular','javascript','nextjs','react','react-native','vue']}>
-```bash title="Terminal" showLineNumbers={false}
-npx amplify generate graphql-client-code --format modelgen
-```
-</InlineFilter>
-<InlineFilter filters={['android']}>
-```bash title="Terminal" showLineNumbers={false}
-npx amplify generate graphql-client-code --format modelgen --model-target java --out app/src/main/java
-```
-</InlineFilter>
-<InlineFilter filters={['flutter']}>
-```bash title="Terminal" showLineNumbers={false}
-npx amplify generate graphql-client-code --format modelgen --model-target dart --out lib/models
+```bash
+npx amplify generate graphql-client-code
+--format [choices: "modelgen", "graphql-codegen", "introspection"]
 ```
-</InlineFilter>
-<InlineFilter filters={['swift']}>
-```bash title="Terminal" showLineNumbers={false}
-npx amplify generate graphql-client-code --format modelgen
-```
-
-Move the generated files to your project. You can do this by dragging and dropping the files to your project.
-
-![Dialog appears when users drag and drop the generated files into Xcode. It displays targets, added folders, and destination options. The default settings should be sufficient for drag and drop.](/images/lib/getting-started/ios/set-up-swift-8.png)
-</InlineFilter>
 
 ## Delete a sandbox
 
 You can delete a cloud sandbox environment in several ways:
 
 1. Ctrl+C your sandbox and choose to delete resources.
 1. Run `npx amplify sandbox delete` or `npx amplify sandbox delete --name`
-1. Visit the Amplify console and [delete sandboxes](/[platform]/deploy-and-host/sandbox-environments/setup/#manage-sandbox-environments).
+1. Visit the Amplify console and [delete sandboxes](/gen2/deploy-and-host/sandbox-environments/setup/#manage-sandbox-environments).
diff --git a/src/pages/[platform]/deploy-and-host/sandbox-environments/setup/index.mdx b/src/pages/[platform]/deploy-and-host/sandbox-environments/setup/index.mdx
@@ -81,5 +81,5 @@ Keep the following best practices in mind when working with cloud sandbox enviro
 - Sandboxes are identical in fidelity to your production environments.
 - Code changes are continuously deployed to your sandbox on every save for fast iterations.
 - Use sandboxes for experimentation and testing, not for production workloads.
-- Deploy one sandbox per Amplify app to prevent conflicts.
+- Deploy one sandbox per Amplify app per developer to prevent conflicts.
 - Reset sandboxes occasionally to clear out unused resources and save costs.
