Skip to content

2.0.0-beta.53 - AWS Auth & Config Props

AWS authentication now runs through Alchemy’s own auth-provider system. alchemy login manages AWS credentials the same way it manages Cloudflare’s — one profile (selected by ALCHEMY_PROFILE), one interactive setup, no AWS_PROFILE / AWS_ACCOUNT_ID env plumbing in your shell. And effect/Config, which beta.45 made the way to read config inside a Worker, now works in any resource input prop too.

Setting up AWS is now the same flow as every other provider:

Terminal window
alchemy login --configure
# AWS authentication method
# ● SSO — aws sso login, credentials loaded from AWS SSO cache
# ○ Environment Variables — AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY
# ○ Stored — stored in ~/.alchemy/credentials

Your AWS account ID is captured automatically via STS.GetCallerIdentity and saved on the profile — the Stored method detects it from the keys you paste, and the Environment Variables method falls back to STS when AWS_ACCOUNT_ID isn’t exported (#574).

Auth providers are also evaluated lazily now (#567). Credentials resolve the first time a resource actually needs them — a stack that touches no AWS resources never prompts for AWS auth. Inside lifecycle operations, the environment is read through the new accessor:

reconcile: Effect.fn(function* ({ id, news }) {
const { accountId, region } = yield* AWSEnvironment;
const { accountId, region } = yield* AWSEnvironment.current;
// ...
}),

Rounding it out, alchemy login always refreshes credentials instead of short-circuiting on a non-expired cache (#575), and --configure no longer runs a redundant login pass after the interactive setup completes.

beta.45 made effect/Config the way to read secrets and variables inside a Worker’s init. beta.53 completes the picture: Config values are resolved in resource input props — at the top level or nested anywhere inside objects and arrays (#566).

export default class EffectWorker extends Cloudflare.Worker<EffectWorker>()(
"EffectWorker",
{
main: import.meta.filename,
dev: {
port: Config.number("PORT").pipe(Config.withDefault(1338)),
},
},
Effect.gen(function* () {
/* ... */
}),
) {}

The plan resolves each Config against the deploy environment’s ConfigProvider, so the concrete value flows into diffing and hashing — an opaque Config would otherwise hash the same no matter what it evaluates to. Config.redacted resolves to a Redacted that stays wrapped end to end, preserving the secrecy boundary. See Concepts › Secrets and Config.

Two dev-server fixes land via @distilled.cloud/cloudflare-runtime bumps (0.10.5 → 0.10.11): a race condition when a stack runs more than one Workflow in alchemy dev (#573), and incorrect Vite handling of require() of Node built-ins in Worker code (#556).

  • R2 custom-domain updates ride out NoSuchBucket during R2’s endpoint eventual-consistency window — including when a create loses a race and the winning bucket isn’t readable yet (448ba756).
  • Narrowed S3 bucket tag-fetch requirements to Credentials | HttpClient | Region. Thanks Kilian Cirera Sant (#555).
  • Fixed Worker static-assets bundling by switching to a named import of @alchemy.run/node-utils/ignore (#572).
  • Added a missing permission to Tutorial Part 5. Thanks David J. Felix (#560).