Fix AWS SDK credentials for Amplify: use APP_* env vars

Partha-dev01 · Partha-dev01 · commit 054636d39460 · 2026-03-05T23:59:27.000+05:30
Amplify reserves the AWS_* env var prefix, so SDK clients had no
credentials in production. Added shared credentials helper that reads
APP_ACCESS_KEY_ID/APP_SECRET_ACCESS_KEY and passes them explicitly to
all 8 SDK client creation points (Polly, Bedrock, DynamoDB).
diff --git a/app/api/chat/conversation/route.ts b/app/api/chat/conversation/route.ts
@@ -18,6 +18,7 @@ import {
   BedrockRuntimeClient,
   InvokeModelCommand,
 } from "@aws-sdk/client-bedrock-runtime";
+import { getAppCredentials } from "../../../lib/aws/credentials";
 
 /* ------------------------------------------------------------------ */
 /*  Types                                                              */
@@ -58,7 +59,8 @@ interface ConversationResponse {
 const BEDROCK_REGION = process.env.BEDROCK_REGION || "us-east-1";
 
 function getBedrockClient(): BedrockRuntimeClient {
-  return new BedrockRuntimeClient({ region: BEDROCK_REGION });
+  const credentials = getAppCredentials();
+  return new BedrockRuntimeClient({ region: BEDROCK_REGION, ...(credentials && { credentials }) });
 }
 
 /* ------------------------------------------------------------------ */
diff --git a/app/api/chat/generate-words/route.ts b/app/api/chat/generate-words/route.ts
@@ -17,6 +17,7 @@ import {
   BedrockRuntimeClient,
   InvokeModelCommand,
 } from "@aws-sdk/client-bedrock-runtime";
+import { getAppCredentials } from "../../../lib/aws/credentials";
 
 /* ------------------------------------------------------------------ */
 /*  Types                                                              */
@@ -42,7 +43,8 @@ interface GeneratedItem {
 const BEDROCK_REGION = process.env.BEDROCK_REGION || "us-east-1";
 
 function getBedrockClient(): BedrockRuntimeClient {
-  return new BedrockRuntimeClient({ region: BEDROCK_REGION });
+  const credentials = getAppCredentials();
+  return new BedrockRuntimeClient({ region: BEDROCK_REGION, ...(credentials && { credentials }) });
 }
 
 /* ------------------------------------------------------------------ */
diff --git a/app/api/report/clinical/route.ts b/app/api/report/clinical/route.ts
@@ -26,6 +26,7 @@ import {
   InvokeModelCommand,
 } from "@aws-sdk/client-bedrock-runtime";
 import type { BiomarkerAggregate } from "../../../types/biomarker";
+import { getAppCredentials } from "../../../lib/aws/credentials";
 
 interface ClinicalRequestBody {
   sessionId: string;
@@ -45,10 +46,9 @@ interface ClinicalResponse {
 
 const BEDROCK_REGION = process.env.BEDROCK_REGION || "us-east-1";
 
-// Don't pass explicit credentials — the SDK default credential provider chain
-// handles Lambda IAM roles (with session tokens) and local dev env vars.
 function getBedrockClient(): BedrockRuntimeClient {
-  return new BedrockRuntimeClient({ region: BEDROCK_REGION });
+  const credentials = getAppCredentials();
+  return new BedrockRuntimeClient({ region: BEDROCK_REGION, ...(credentials && { credentials }) });
 }
 
 function buildMockReport(
diff --git a/app/api/report/summary/route.ts b/app/api/report/summary/route.ts
@@ -18,6 +18,7 @@ import {
   InvokeModelCommand,
 } from "@aws-sdk/client-bedrock-runtime";
 import type { BiomarkerAggregate } from "../../../types/biomarker";
+import { getAppCredentials } from "../../../lib/aws/credentials";
 
 interface SummaryRequestBody {
   sessionId: string;
@@ -26,10 +27,9 @@ interface SummaryRequestBody {
 
 const BEDROCK_REGION = process.env.BEDROCK_REGION || "us-east-1";
 
-// Don't pass explicit credentials — the SDK default credential provider chain
-// handles Lambda IAM roles (with session tokens) and local dev env vars.
 function getBedrockClient(): BedrockRuntimeClient {
-  return new BedrockRuntimeClient({ region: BEDROCK_REGION });
+  const credentials = getAppCredentials();
+  return new BedrockRuntimeClient({ region: BEDROCK_REGION, ...(credentials && { credentials }) });
 }
 
 function buildMockSummary(biomarkers: BiomarkerAggregate): string {
diff --git a/app/api/sync/route.ts b/app/api/sync/route.ts
@@ -19,11 +19,12 @@ import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
 import { DynamoDBDocumentClient, PutCommand } from "@aws-sdk/lib-dynamodb";
 import type { SessionSyncPayload } from "../../types/session";
 import type { BiomarkerAggregate } from "../../types/biomarker";
+import { getAppCredentials, getAppRegion } from "../../lib/aws/credentials";
 
-// Don't pass explicit credentials — let the SDK use its default credential
-// provider chain (Lambda IAM role on Amplify, env vars or ~/.aws on local dev).
+const appCredentials = getAppCredentials();
 const dynamoClient = new DynamoDBClient({
-  region: process.env.AWS_REGION ?? "ap-south-1",
+  region: getAppRegion("ap-south-1"),
+  ...(appCredentials && { credentials: appCredentials }),
 });
 const docClient = DynamoDBDocumentClient.from(dynamoClient);
 
diff --git a/app/api/tts/route.ts b/app/api/tts/route.ts
@@ -18,19 +18,18 @@ import {
   SynthesizeSpeechCommand,
   type VoiceId,
 } from "@aws-sdk/client-polly";
+import { getAppCredentials, getAppRegion } from "../../lib/aws/credentials";
 
 interface TtsRequestBody {
   text: string;
   voiceId?: string;
 }
 
-// Use POLLY_REGION if set, otherwise fall back to AWS_REGION (auto-set on Lambda)
-const POLLY_REGION = process.env.POLLY_REGION || process.env.AWS_REGION || "ap-south-1";
+const POLLY_REGION = process.env.POLLY_REGION || getAppRegion("ap-south-1");
 
-// Don't pass explicit credentials — the SDK default credential provider chain
-// handles Lambda IAM roles (with session tokens) and local dev env vars.
 function getPollyClient(): PollyClient {
-  return new PollyClient({ region: POLLY_REGION });
+  const credentials = getAppCredentials();
+  return new PollyClient({ region: POLLY_REGION, ...(credentials && { credentials }) });
 }
 
 export async function POST(req: NextRequest) {
diff --git a/app/lib/auth/dynamodb.ts b/app/lib/auth/dynamodb.ts
@@ -10,6 +10,7 @@
  */
 
 import { AUTH_CONFIG } from "./config";
+import { getAppCredentials, getAppRegion } from "../aws/credentials";
 
 // ─── Types ───────────────────────────────────────────────────────────
 export interface AuthUser {
@@ -41,11 +42,12 @@ function shouldUseDynamo(): boolean {
   if (
     process.env.NODE_ENV === "development" &&
     !process.env.AWS_ACCESS_KEY_ID &&
+    !process.env.APP_ACCESS_KEY_ID &&
     !process.env.AWS_REGION
   ) {
     return false;
   }
-  // In production (Amplify), always try DynamoDB — IAM role provides creds
+  // In production (Amplify), always try DynamoDB
   return true;
 }
 
@@ -123,8 +125,10 @@ async function getDynamoClient() {
   const { DynamoDBClient } = await import("@aws-sdk/client-dynamodb");
   const { DynamoDBDocumentClient } = await import("@aws-sdk/lib-dynamodb");
 
+  const credentials = getAppCredentials();
   const client = new DynamoDBClient({
-    region: process.env.AWS_REGION || "ap-south-1",
+    region: getAppRegion("ap-south-1"),
+    ...(credentials && { credentials }),
   });
   return DynamoDBDocumentClient.from(client);
 }
diff --git a/app/lib/aws/credentials.ts b/app/lib/aws/credentials.ts
@@ -0,0 +1,33 @@
+/**
+ * Shared AWS credential provider for Amplify deployments.
+ *
+ * Amplify reserves the "AWS_*" env var prefix, so we use custom-named
+ * variables: APP_ACCESS_KEY_ID, APP_SECRET_ACCESS_KEY, APP_REGION.
+ * The SDK default credential chain is tried first (covers Lambda IAM
+ * roles and local dev with AWS_* env vars). If that fails, the custom
+ * env vars are used as an explicit fallback.
+ */
+
+import type { AwsCredentialIdentity } from "@aws-sdk/types";
+
+/**
+ * Returns explicit credentials from APP_* env vars if set,
+ * or undefined to let the SDK use its default provider chain.
+ */
+export function getAppCredentials(): AwsCredentialIdentity | undefined {
+  const accessKeyId = process.env.APP_ACCESS_KEY_ID;
+  const secretAccessKey = process.env.APP_SECRET_ACCESS_KEY;
+
+  if (accessKeyId && secretAccessKey) {
+    return { accessKeyId, secretAccessKey };
+  }
+
+  return undefined;
+}
+
+/**
+ * Returns the AWS region from APP_REGION, AWS_REGION, or the given default.
+ */
+export function getAppRegion(fallback = "ap-south-1"): string {
+  return process.env.APP_REGION || process.env.AWS_REGION || fallback;
+}
diff --git a/next.config.ts b/next.config.ts
@@ -34,6 +34,10 @@ const nextConfig: NextConfig = {
     DYNAMODB_CHILD_PROFILES_TABLE: process.env.DYNAMODB_CHILD_PROFILES_TABLE ?? "",
     DYNAMODB_SESSION_SUMMARIES_TABLE: process.env.DYNAMODB_SESSION_SUMMARIES_TABLE ?? "",
     DYNAMODB_FEED_POSTS_TABLE: process.env.DYNAMODB_FEED_POSTS_TABLE ?? "",
+    // Amplify blocks AWS_* prefix — use custom names for SDK credentials
+    APP_ACCESS_KEY_ID: process.env.APP_ACCESS_KEY_ID ?? "",
+    APP_SECRET_ACCESS_KEY: process.env.APP_SECRET_ACCESS_KEY ?? "",
+    APP_REGION: process.env.APP_REGION ?? "",
   },
 
   // Required for SharedArrayBuffer (ONNX WASM multi-threading)
