# Using environment variables in an Amplify application
Environment variables are key-value pairs that you can add to your application's settings to make them available to Amplify Hosting. As a best practice, you can use environment variables to expose application configuration data. All environment variables that you add are encrypted to prevent rogue access.
Amplify enforces the following constraints on the environment variables that you create.
+ Amplify doesn't allow you to create environment variable names with an `AWS` prefix. This prefix is reserved for Amplify internal use only.
+ The value of an environment variable can't exceed 5500 characters.
**Important**
Don't use environment variables to store secrets. For a Gen 2 app, use the **Secret management** feature in the Amplify console. For more information, see [Secrets and environment vars](https://docs.amplify.aws/react/deploy-and-host/fullstack-branching/secrets-and-vars/) in the *Amplify Documentation*. For a Gen 1 app, store secrets in an environment secret created using the AWS Systems Manager Parameter Store. For more information, see [Managing environment secrets](environment-secrets.md).
## Amplify environment variable reference
The following environment variables are accessible by default within the Amplify console.
****
| Variable name | Description | Example value |
| --- | --- | --- |
| \$1BUILD\$1TIMEOUT | The build timeout duration in minutes. The minimum value is 5. The maximum value is 120. | `30` |
| \$1LIVE\$1UPDATES | The tool will be upgraded to the latest version. | `[{"name":"Amplify CLI","pkg":"@aws-amplify/cli","type":"npm","version":"latest"}]` |
| USER\$1DISABLE\$1TESTS | The test step is skipped during a build. You can disable tests for all branches or specific branches in an app. This environment variable is used for apps that perform tests during the build phase. For more information about setting this variable, see [Turning off tests for an Amplify application or branch](running-tests.md#disabling-tests). | `true` |
| AWS\$1APP\$1ID | The app ID of the current build | `abcd1234` |
| AWS\$1BRANCH | The branch name of the current build | `main`, `develop`, `beta`, `v2.0` |
| AWS\$1BRANCH\$1ARN | The branch Amazon Resource Name (ARN) of the current build | `aws:arn:amplify:us-west-2:123456789012:appname/branch/... ` |
| AWS\$1CLONE\$1URL | The clone URL used to fetch the git repository contents | `git@github.com:/.git` |
| AWS\$1COMMIT\$1ID | The commit ID of the current build “HEAD” for rebuilds | `abcd1234` |
| AWS\$1JOB\$1ID | The job ID of the current build. This includes some padding of ‘0’ so it always has the same length. | `0000000001` |
| AWS\$1PULL\$1REQUEST\$1ID | The pull request ID of pull request web preview build. This environment variable is not available when using AWS CodeCommit as your repository provider. | `1` |
| AWS\$1PULL\$1REQUEST\$1SOURCE\$1BRANCH | The name of the feature branch for a pull request preview being submitted to an application branch in the Amplify console. | `featureA` |
| AWS\$1PULL\$1REQUEST\$1DESTINATION\$1BRANCH | The name of the application branch in the Amplify console that a feature branch pull request is being submitted to. | `main` |
| AMPLIFY\$1AMAZON\$1CLIENT\$1ID | The Amazon client ID | `123456` |
| AMPLIFY\$1AMAZON\$1CLIENT\$1SECRET | The Amazon client secret | `example123456` |
| AMPLIFY\$1FACEBOOK\$1CLIENT\$1ID | The Facebook client ID | `123456` |
| AMPLIFY\$1FACEBOOK\$1CLIENT\$1SECRET | The Facebook client secret | `example123456` |
| AMPLIFY\$1GOOGLE\$1CLIENT\$1ID | The Google client ID | `123456` |
| AMPLIFY\$1GOOGLE\$1CLIENT\$1SECRET | The Google client secret | `example123456` |
| AMPLIFY\$1DIFF\$1DEPLOY | Enable or disable diff based frontend deployment. For more information, see [Configuring diff based frontend build and deploy](edit-build-settings.md#enable-diff-deploy). | `true` |
| AMPLIFY\$1DIFF\$1DEPLOY\$1ROOT | The path to use for diff based frontend deployment comparisons, relative to the root of your repository. | `dist` |
| AMPLIFY\$1DIFF\$1BACKEND | Enable or disable diff based backend builds. This applies to Gen 1 apps only. For more information, see [Configuring diff based backend builds for a Gen 1 app](edit-build-settings.md#enable-diff-backend) | `true` |
| AMPLIFY\$1BACKEND\$1PULL\$1ONLY | Amplify manages this environment variable. This applies to Gen 1 apps only. For more information, see [Edit an existing frontend to point to a different backend](reuse-backends.md#reuse-backends-edit-existing) | `true` |
| AMPLIFY\$1BACKEND\$1APP\$1ID | Amplify manages this environment variable. This applies to Gen 1 apps only. For more information, see [Edit an existing frontend to point to a different backend](reuse-backends.md#reuse-backends-edit-existing) | `abcd1234` |
| AMPLIFY\$1SKIP\$1BACKEND\$1BUILD | If you do not have a backend section in your build specification and want to disable backend builds, set this environment variable to `true`. This applies to Gen 1 apps only. | `true` |
| AMPLIFY\$1ENABLE\$1DEBUG\$1OUTPUT | Set this variable to `true` to print a stack trace in the logs. This is helpful for debugging backend build errors. | `true` |
| AMPLIFY\$1MONOREPO\$1APP\$1ROOT | The path to use to specify the app root of a monorepo app, relative to the root of your repository. | `apps/react-app` |
| AMPLIFY\$1USERPOOL\$1ID | The ID for the Amazon Cognito user pool imported for auth | `us-west-2_example` |
| AMPLIFY\$1WEBCLIENT\$1ID | The ID for the app client to be used by web applications The app client must be configured with access to the Amazon Cognito user pool specified by the AMPLIFY\$1USERPOOL\$1ID environment variable. | `123456` |
| AMPLIFY\$1NATIVECLIENT\$1ID | The ID for the app client to be used by native applications The app client must be configured with access to the Amazon Cognito user pool specified by the AMPLIFY\$1USERPOOL\$1ID environment variable. | `123456` |
| AMPLIFY\$1IDENTITYPOOL\$1ID | The ID for the Amazon Cognito identity pool | `example-identitypool-id` |
| AMPLIFY\$1PERMISSIONS\$1BOUNDARY\$1ARN | The ARN for the IAM policy to use as a permissions boundary that applies to all IAM roles created by Amplify. | `arn:aws:iam::123456789012:policy/example-policy` |
| AMPLIFY\$1DESTRUCTIVE\$1UPDATES | Set this environment variable to true to allow a GraphQL API to be updated with schema operations that can potentially cause data loss. | `true` |
**Note**
The `AMPLIFY_AMAZON_CLIENT_ID` and `AMPLIFY_AMAZON_CLIENT_SECRET` environment variables are OAuth tokens, not an AWS access key and secret key.
## Frontend framework environment variables
If you are developing your app with a frontend framework that supports its own environment variables, it is important to understand that these are not the same as the environment variables you configure in the Amplify console. For example, React (prefixed REACT\$1APP) and Gatsby (prefixed GATSBY), enable you to create runtime environment variables that those frameworks automatically bundle into your frontend production build. To understand the effects of using these environment variables to store values, refer to the documentation for the frontend framework you are using.
Storing sensitive values, such as API keys, inside these frontend framework prefixed environment variables is not a best practice and is highly discouraged.
# Setting environment variables
Use the following instructions to set environment variables for an application in the Amplify console.
**Note**
**Environment variables** is visible in the Amplify console’s **App settings** menu only when an app is set up for continuous deployment and connected to a git repository. For instructions on this type of deployment, see [Getting started with existing code](getting-started.md).
**To set environment variables**
1. Sign in to the AWS Management Console and open the [Amplify console](https://console.aws.amazon.com/amplify/).
1. In the Amplify console, choose **Hosting**, and then choose **Environment variables**.
1. On the **Environment variables** page, choose **Manage variables**.
1. For **Variable**, enter your key. For **Value**, enter your value. By default, Amplify applies the environment variables across all branches, so you don’t have to re-enter variables when you connect a new branch.
1. (Optional) To customize an environment variable specifically for a branch, add a branch override as follows:
1. Choose **Actions** and then choose **Add variable override**.
1. You now have a set of environment variables specific to your branch.
1. Choose **Save**.
## Create a new backend environment with authentication parameters for social sign-in
**To connect a branch to an app**
1. Sign in to the AWS Management Console and open the [Amplify console](https://console.aws.amazon.com/amplify/).
1. The procedure for connecting a branch to an app varies depending on whether you are connecting a branch to a new app or an existing app.
+ **Connecting a branch to a new app**
1. On the **Build settings** page, locate the **Select a backend environment to use with this branch** section. For **Environment**, choose **Create new environment**, and enter the name of your backend environment. The following screenshot shows the **Select a backend environment to use with this branch** section of the **Build settings** page with **backend** entered for the backend environment name.
![\[The Select a backend environment to use with this branch section of the Build settings page.\]](http://docs.aws.amazon.com/amplify/latest/userguide/images/amplify-newenvironment-1.png)
1. Expand the **Advanced settings** section on the **Build settings** page and add environment variables for social sign-in keys. For example, **AMPLIFY\$1FACEBOOK\$1CLIENT\$1SECRET** is a valid environment variable. For the list of Amplify system environment variables that are available by default, see the table in [Amplify environment variable reference](environment-variables.md#amplify-console-environment-variables).
+ **Connecting a branch to an existing app**
1. If you are connecting a new branch to an existing app, set the social sign-in environment variables before connecting the branch. In the navigation pane, choose **App Settings**, **Environment variables**.
1. In the **Environment variables** section, choose **Manage variables**.
1. In the **Manage variables** section, choose **Add variable**.
1. For **Variable** (key), enter your client ID. For **Value**, enter your client secret.
1. Choose, **Save**.
# Managing environment secrets
With the release of Amplify Gen 2, the workflow for environment secrets is streamlined to centralize the management of secrets and environment variables in the Amplify console. For instructions on setting and accessing secrets for an Amplify Gen 2 app, see [Secrets and environment vars](https://docs.amplify.aws/react/deploy-and-host/fullstack-branching/secrets-and-vars/) in the *Amplify Documentation*.
Environment secrets for a Gen 1 app are similar to environment variables, but they are AWS Systems Manager Parameter Store key value pairs that can be encrypted. Some values must be encrypted, such as the Sign in with Apple private key for Amplify.
## Using AWS Systems Manager to set environment secrets for an Amplify Gen 1 application
Use the following instructions to set an environment secret for a Gen 1 Amplify app using the AWS Systems Manager console.
**To set an environment secret**
1. Sign in to the AWS Management Console and open the [AWS Systems Manager console](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Application Management**, then choose **Parameter Store**.
1. On the **AWS Systems Manager Parameter Store** page, choose **Create parameter**.
1. On the **Create parameter** page, in the **Parameter details** section, do the following:
1. For **Name**, enter a parameter in the format **/amplify/\$1your\$1app\$1id\$1/\$1your\$1backend\$1environment\$1name\$1/\$1your\$1parameter\$1name\$1**.
1. For **Type**, choose **SecureString**.
1. For **KMS key source**, choose **My current account** to use the default key for your account.
1. For **Value**, enter your secret value to encrypt.
1. Choose, **Create parameter**.
**Note**
Amplify only has access to the keys under the `/amplify/{your_app_id}/{your_backend_environment_name}` for the specific environment build. You must specify the default AWS KMS key to allow Amplify to decrypt the value.
## Accessing environment secrets for a Gen 1 application
Environment secrets for a Gen 1 application are stored in `process.env.secrets` as a JSON string.
## Amplify environment secrets reference
Specify an Systems Manager parameter in the format `/amplify/{your_app_id}/{your_backend_environment_name}/AMPLIFY_SIWA_CLIENT_ID`.
You can use the following environment secrets that are accessible by default within the Amplify console.
****
| Variable name | Description | Example value |
| --- | --- | --- |
| AMPLIFY\$1SIWA\$1CLIENT\$1ID | The Sign in with Apple client ID | `com.yourapp.auth` |
| AMPLIFY\$1SIWA\$1TEAM\$1ID | The Sign in with Apple team ID | `ABCD123` |
| AMPLIFY\$1SIWA\$1KEY\$1ID | The Sign in with Apple key ID | `ABCD123` |
| AMPLIFY\$1SIWA\$1PRIVATE\$1KEY | The Sign in with Apple private key | -----BEGIN PRIVATE KEY----- \$1\$1\$1\$1...... -----END PRIVATE KEY----- |