[custom-resources] Allow passing a Secret value as a parameter to `AwsCustomResource`
See original GitHub issueIt would be convenient to be able to pass a secret {{resolve}}
token as a parameter to the AwsCustomResource
class and have it resolved at runtime to the actual secret value.
Use Case
I created a custom resource that looked like this:
const systemUser = new cognito.CfnUserPoolUser(this, "CognitoSystemUser", {
username: 'myUser',
userPoolId: 'myUserPoolId',
});
const cognitoUserSecret = new secrets.Secret(this, "CognitoSystemUserSecret", {
secretName: `auth/internal/MySystemUser`,
generateSecretString: {
secretStringTemplate: JSON.stringify({
Username: user.username,
UserPoolId: user.userPoolId,
ClientId: 'myclientid',
}),
generateStringKey: "Password",
},
});
const customResource = new cr.AwsCustomResource(this, "CognitoSystemUserPasswordSetter", {
onCreate: {
service: "CognitoIdentityServiceProvider",
action: "adminSetUserPassword",
parameters: {
Username: systemUser.username,
UserPoolId: systemUser.userPoolId,
Password: cognitoUserSecret.secretValueFromJson("Password").toString(),
Permanent: true,
},
physicalResourceId: cr.PhysicalResourceId.of(`${systemUser.username}-password-confirmation`),
},
policy: cr.AwsCustomResourcePolicy.fromStatements([
new iam.PolicyStatement({
sid: "AllowSetPasswordForUser",
effect: iam.Effect.ALLOW,
actions: ["cognito-idp:AdminSetUserPassword"],
resources: [
cdk.Arn.format(
{
region: "us-west-2",
service: "cognito-idp",
resource: "userpool",
sep: "/",
resourceName: systemUser.userPoolId,
},
this,
),
],
}),
]),
});
cognitoUserSecret.grantRead(customResource);
This almost works, but it does not actually resolve the password to its value in Secrets Manager. In my case, it set the actual password to the literal string {{resolve:secretsmanager:arn:aws:secretsmanager:us-west-2:123456789:secret:auth/internal/MySystemUser-ABCDEF:SecretString:Password::}}
.
Proposed Solution
It would be great if the custom resource code looked for {{resolve:secretsmanager}}
-style references in the parameters
passed to AwsCustomResource
and resolved them to their underlying value.
Other
- 👋 I may be able to implement this feature request
- ⚠️ This feature might incur a breaking change
This is a 🚀 Feature Request
Issue Analytics
- State:
- Created 3 years ago
- Reactions:34
- Comments:6 (5 by maintainers)
Top Results From Across the Web
class AwsCustomResource (construct) · AWS CDK
A name for the singleton Lambda function implementing this custom resource. installLatestAwsSdk? boolean, Whether to install the latest AWS SDK v2. Allows to ......
Read more >aws cdk - How to get a value from SecretString returned from ...
Using an AwsCustomResource allows them to override the region from stack. ... It always looks for parameter in stack's account.
Read more >Implementing Custom Resources with AWS CDK - Medium
Custom Resources allow you to write custom logic in your CloudFormation ... CDK Implements the AWSCustomResource — a lambda-backed custom resource that uses ......
Read more >Extending CloudFormation using lambda-backed custom ...
Custom resources enable you to write custom provisioning logic in ... name for the secrets which is added to the CF template as...
Read more >@aws-cdk/custom-resources | Yarn - Package Manager
Validates handler return values to help with correct handler implementation; Supports asynchronous handlers to enable operations that require a long waiting ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
That is disappointing. One would have hoped that CloudFormation did this automatically
Indeed this is currently not supported in custom resources. This would require additional logic in the Lambda function implementing the
AwsCustomResource
.https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html