Codemagic UI Environment Variables Encoded in .env File – Amplify Cognito Sign-In Fails in Built App

[yonycherkos]

If you are looking for help, please confirm the following...

• I confirm I have searched the Docs, Codemagic Sample Projects, and GitHub Discussions.
• I confirm the software versions on my local computer match the ones in CI environment (e.g. Xcode version, Gradle version). See here
• I confirm I am able to do a fresh clone of the repository and build the project on my local computer.

Which mobile framework are you using?

Steps to reproduce

I'm running into an issue with environment variables defined through the Codemagic UI.

In codemagic.yaml, I use these environment variables to dynamically generate a .env.development file during the build process. The content is written using a script like this:

scripts:
  - echo "COGNITO_CLIENT_ID=$COGNITO_CLIENT_ID" > .env.development

When I inspect the generated .env.development file, the variables do appear — however, they are encoded or obfuscated, likely for security reasons (which I understand). But the problem arises after building the app.

I'm using AWS Amplify (with Cognito) in my Flutter app. When I install the build generated by Codemagic and try to sign in, it fails. It seems the Cognito configuration (like client ID, user pool ID, etc.) isn't being loaded properly from the .env.development file inside the app.

Important notes:

The same setup works perfectly when I define the environment variables directly inside the codemagic.yaml file under the environment section.

I double-checked the variables in the Codemagic UI — they are correctly defined.

It appears the encoded values are not usable by Amplify inside the app.

Questions:

• Are UI-defined environment variables encoded in a way that prevents their use at runtime within a mobile app?
• Is there a recommended way to decode them before writing to .env or a better approach to inject them securely for use in Amplify/Cognito?
• Could this encoding be the reason the Amplify sign-in fails?

Would appreciate any insights or recommended best practices for securely and effectively using Codemagic UI environment variables for Amplify config.

Expected results

The environment variables defined in the Codemagic UI should be correctly written into the .env.development file in a usable format during the build process. After the app is built and installed, it should be able to read these environment variables at runtime, and the AWS Amplify Cognito sign-in functionality should work as expected.

Actual results

While the .env.development file is generated and includes the variables from the Codemagic UI, the values appear to be encoded or obfuscated. As a result, the built app fails to authenticate with Amplify Cognito at runtime — likely because it's unable to correctly read and use the environment values for configuration.

Build id (optional)

681db35c9c3e5d452f80e9c4

[dtrdic]

Note: we have an ongoing thread in Pylon chat, but I'll post it here as well..

When you define environment variables directly inside codemagic.yaml under environment, everything works, because those values are plain text and directly usable at runtime.

I see the .env.development file is generated and contains something, some values, for each variable..

The real issue here is likely not the encoding/decoding part, it's that you're injecting secrets into a .env file and bundling that file into your Flutter app, but we don't know if it's actually accessible at the runtime..

You would load that file at runtime using something like flutter_dotenv, and you invoke Dotenv().env['COGNITO_CLIENT_ID'].

Or, perhaps you can avoid writing a .env file entirely and generate a Dart file instead during build

- name: Generate dart file
  script: |
    echo "const String cognitoClientId = '$COGNITO_CLIENT_ID';" > lib/secrets.dart

Another thing worth checking is to remotely access the build machine and inspect the generated .env.development file. Doublecheck if the values are correct.

[dtrdic]

I'm tentatively closing the discussion since we haven't heard back from you. You can open the discussion again by replying to this message or opening a new discussion.