#Error using secret() from a lambda

3 messages · Page 1 of 1 (latest)

heavy furnace
#

I’m trying to use a secret in my post-confirmation Lambda function.

Here’s the Lambda definition:

import { defineFunction, secret } from '@aws-amplify/backend'

export const postConfirmation = defineFunction({
  name: 'post-confirmation',
  environment: {
    STRIPE_SECRET_KEY: secret('STRIPE_SECRET_KEY')
  }
})

However, when I invoke the Lambda, I get the following error:

2025-09-24T11:06:06.772Z undefined ERROR Uncaught Exception  
{
    "errorType": "AccessDeniedException",
    "errorMessage": "User: arn:aws:sts::271966353206:assumed-role/amplify-starternuxtamplif-postconfirmationlambdaSer-OMuDDf6LrbUU/amplify-starternuxtamplif-postconfirmationlambda19-cqB4vsjbgcIn is not authorized to perform: ssm:GetParameters on resource: arn:aws:ssm:eu-central-1:271966353206:* because no identity-based policy allows the ssm:GetParameters action",
    "name": "AccessDeniedException",
    "$fault": "client",
    "$metadata": {
        "httpStatusCode": 400,
        "requestId": "ea8102bd-054f-489a-a003-5fe8cf5ceb89",
        "attempts": 1,
        "totalRetryDelay": 0
    },
    "__type": "AccessDeniedException",
    "stack": [
        "AccessDeniedException: User: arn:aws:sts::271966353206:assumed-role/amplify-starternuxtamplif-postconfirmationlambdaSer-OMuDDf6LrbUU/amplify-starternuxtamplif-postconfirmationlambda19-cqB4vsjbgcIn is not authorized to perform: ssm:GetParameters on resource: arn:aws:ssm:eu-central-1:271966353206:* because no identity-based policy allows the ssm:GetParameters action",

(...)

}

Why is this happening? It looks like Amplify isn’t assigning the role properly.

zinc gale
#

I believe I've encountered this before when my secret's spelling, in your case STRIPE_SECRET_KEY, doesn't actually match the secret that is set in the deployed environment. If this is on a deployed branch, check the amplify console. If its a sandbox, list the sandbox secrets and double check the spelling.

heavy furnace
#

This issue only occurs when using the Sandbox. When I deploy the app to AWS Amplify, everything works as expected.

I’ll run a few more checks to confirm it’s not an error on my side.