Ampli API key security

aleksanderujek

Hello 👋🏻 

I'm currently testing Ampli as a way to integrate Amplitude into React (TS) App. I’m using Ampli with Amplitude Data feature.
Ampli looks very promising compared to default integration with amplitude-js, but I'm concerned about security of API key when ampli files are generated.

TL/DR: 

Ampli on ampli pull is generating index.ts file with Amplitude Key for Production (Api key would be visible on repository). I'm not sure which files I should track with git and security of id's of ampli.json file.

 

Ampli integration

I've integrated Ampli into React (TS) App according to the tutorial. Unfortunately, whenever I'm making an ampli pull, it pulls all new events but it also pulls API key and saves it directly in ampli/index.ts file.

I tried recreating repository from Ampli Examples Example, but it stills on ampli pull add API key to ampli/index.ts.

I'm concerned about that since I would like to make that repository public in the future. For now I would have to always manually delete api key from that file.

Also there is ampli.json that has multiple id, like WorkspaceId, OrgId, SourceId and VersionId which I'm not sure if they should be shared in repository (especially public repository).

 

Ampli and Git

 

I tested an idea of adding all ampli files into .gitignore and generate them locally and on CI/CD pipeline.

What I've done?

1. I've added into .gitignore */ampli and ampli.json.
2. Then I'm calling ampli pull ${project} -t ${amplitude-key}
3. But unfortunately I'm getting question about creating new project (which is not so fortunate on CI/CD), but I modified the call to:

yes | ampli pull ${project} -t ${amplitude-key}

1. Unfortunately It generates error:

Destinations:<br /> → (none connected)<br /><br />✘ ERROR An unexpected error occurred. Our team has been notified, but you can also reach us anytime at https://support.amplitude.com.<br />error Command failed with exit code 1.<br />

I've also tried approach with initialising Ampli first then calling Ampli pull:
1. ampli init with options to pull organization / user. This way I won't be asked about generating project on second call.
2. ampli pull ${project} -t ${amplitude-key} but It generates same error as above.

Conclusion

I'm worried about saving API key and ampli.json into repository. I've tried approach with generating integration locally and on CI/CD, but It generates errors.

Please let me know how I can work with Ampli SDK.

P.S. Is there any way to specify urls from which You can use API? I would like to set that only 2 urls can call Ampli with that API Key.

Justin Fiedler

Hi AlekseyM 

 

Thank you for reaching out and for your interest in Ampli.

I understand your concern of having the API keys in a public repo. For the most part our users (ourselves included) have Ampli in a private repository and for `ampli-examples` we have been removing the keys manually.

For this reason, we are in progress adding a new option `ampli pull --omit-api-keys` that will allow you to generate the Ampli SDK without any keys in the code.  You can then set the keys manually with `ampli.load({ client: { apiKey: ‘my-secret-key’ } })`. We are hoping to release this feature in the next few days,

For `ampli.json` we don’t generally view the id’s as secrets and no authentication information is stored in the project file. Currently this file and information is necessary to run `ampli pull -t <token>` as stores the selected tracking plan info. We could look into supporting environment variables for these settings as well. Would that be useful? In the meantime I think its ok for you to commit the `ampli.json` to your repo like we have in the ampli-examples.

 

Hope this helps and I will keep you updated on the new CLI release.