--- slug: "how-to-deploy-private-git-submodule-included-app-to-aws-amplify" title: "How to Deploy a Project with Private Git Submodules to AWS Amplify" description: "I am writing a blog post about how to deploy an application that uses a private Git repository as a submodule to AWS Amplify." url: "https://www.ytyng.com/en/blog/how-to-deploy-private-git-submodule-included-app-to-aws-amplify" publish_date: "2024-07-20T10:55:19Z" created: "2024-07-20T10:55:19Z" updated: "2026-04-12T07:47:00.779Z" categories: ["AWS"] keywords: "" featured_image_url: "https://media.ytyng.com/resize/20250609/53157db76a034b13aacbac0bc11f1e48.png.webp?width=768" has_video: true has_music: true video_urls: ["https://media.ytyng.net/ytyng-blog/312/featured-video-1.mp4", "https://media.ytyng.net/ytyng-blog/312/featured-video-2.mp4", "https://media.ytyng.net/ytyng-blog/312/featured-video-3.mp4"] music_urls: ["https://media.ytyng.net/ytyng-blog/312/featured-music-312-3.mp3", "https://media.ytyng.net/ytyng-blog/312/featured-music-312-4.mp3"] lang: "en" --- # How to Deploy a Project with Private Git Submodules to AWS Amplify The AWS Amplify version of the [How to Deploy a Project to Vercel with Private Git Submodules](https://www.ytyng.com/blog/how-to-deploy-project-to-vercel-includes-private-submodules/) that I wrote earlier. The process is almost the same. # 1. Create a Fine-grained Personal Access Token Go to the following page: https://github.com/settings/tokens?type=beta Click on "Generate new token". ![Image](https://media.ytyng.com/20240526/0a228df2565f4ac1817d0929eec86427.png) For Repository access, select "Only select repositories" and choose the minimum necessary repositories. For Repository permissions, grant Read-only access to Contents only. ![Image](https://media.ytyng.com/20240526/6693893421ac4859b01d28814dbfd622.png) Click the "Generate token" button to create the token. # 2. Register the Token as an Environment Variable in Amplify From the left menu, go to "Hosting" and select "Environment variables", then click on "Manage variables". ![Image](https://media.ytyng.com/20240720/eece8cd2135c423eafb9ff6fb54414fa.png) Add a new variable named GITHUB_PAT and set the token value. ![Image](https://media.ytyng.com/20240720/78b40a1fc87e461d976470a325f77730.png) # 3. Create a Build Script Create a script named `sh/pre-build-for-amplify.sh`. ### Recommended: Using GIT_ASKPASS Embedding tokens directly in URLs poses a security risk, so using `GIT_ASKPASS` is the recommended approach. `GIT_ASKPASS` is an environment variable that specifies a script to be automatically executed when git needs authentication credentials. It is safe because the token is not stored in the URL or git config. ```shell #!/usr/bin/env bash cd $(dirname $0)/../ || exit set -e if [ -z "${GITHUB_PAT}" ]; then echo "The environment variable GITHUB_PAT is not set. Please regenerate the GitHub Fine-grained token and register it as the GITHUB_PAT environment variable in Amplify." echo "https://github.com/settings/tokens?type=beta" echo "https://ap-northeast-1.console.aws.amazon.com/amplify/apps/" exit 1 fi # Pass token via GIT_ASKPASS (no token in URLs) ASKPASS_SCRIPT="$(mktemp)" trap 'rm -f "${ASKPASS_SCRIPT}"' EXIT cat > "${ASKPASS_SCRIPT}" <<'SCRIPT' #!/usr/bin/env bash case "$1" in *Username*) echo "x-access-token" ;; *Password*) echo "${GITHUB_PAT}" ;; *) echo ;; esac SCRIPT chmod 700 "${ASKPASS_SCRIPT}" export GIT_ASKPASS="${ASKPASS_SCRIPT}" export GIT_TERMINAL_PROMPT=0 git submodule set-url "https://github.com/ytyng/.git" git submodule sync git submodule update --init ``` Key points: - The temporary script specified by `GIT_ASKPASS` automatically provides the token when git requests authentication - `trap` automatically deletes the temporary script after the build completes - The token is not included in the submodule URL, so it never persists in git config - `GIT_TERMINAL_PROMPT=0` disables interactive prompts ### Previous method (not recommended) The following method embeds the token directly in the URL. It works but has security risks, so the GIT_ASKPASS method above is recommended. ```shell #!/usr/bin/env bash cd $(dirname $0)/../ || exit if [ -z "${GITHUB_PAT}" ]; then echo "The environment variable GITHUB_PAT is not set. Please regenerate the GitHub Fine-grained token and register it as the GITHUB_PAT environment variable in Amplify." echo "https://github.com/settings/tokens?type=beta" echo "https://ap-northeast-1.console.aws.amazon.com/amplify/apps/" exit 1 fi git submodule set-url "https://${GITHUB_PAT}@github.com/ytyng/.git" git submodule sync git submodule update --init ``` # 4. Use This Build Script in Amplify On the Amplify page, go to Hosting → Build settings, and either modify the `amplify.yml` file in the browser or place the `amplify.yml` file in the root directory of your project. Add `sh/pre-build-for-amplify.sh` to `preBuild.commands`. ```yaml version: 1 frontend: phases: preBuild: commands: - 'sh/pre-build-for-amplify.sh' # Add this line - 'npm ci --cache .npm --prefer-offline' build: commands: - 'npm run build' artifacts: baseDirectory: build files: - '**/*' cache: paths: - '.npm/**/*' ```