Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[custom-resources] Allow passing a Secret value as a parameter to `AwsCustomResource`

See original GitHub issue

It would be convenient to be able to pass a secret {{resolve}} token as a parameter to the AwsCustomResource class and have it resolved at runtime to the actual secret value.

Use Case

I created a custom resource that looked like this:

const systemUser = new cognito.CfnUserPoolUser(this, "CognitoSystemUser", {
  username: 'myUser',
  userPoolId: 'myUserPoolId',
const cognitoUserSecret = new secrets.Secret(this, "CognitoSystemUserSecret", {
  secretName: `auth/internal/MySystemUser`,
  generateSecretString: {
    secretStringTemplate: JSON.stringify({
      Username: user.username,
      UserPoolId: user.userPoolId,
      ClientId: 'myclientid',
    generateStringKey: "Password",
const customResource = new cr.AwsCustomResource(this, "CognitoSystemUserPasswordSetter", {
  onCreate: {
    service: "CognitoIdentityServiceProvider",
    action: "adminSetUserPassword",
    parameters: {
      Username: systemUser.username,
      UserPoolId: systemUser.userPoolId,
      Password: cognitoUserSecret.secretValueFromJson("Password").toString(),
      Permanent: true,
    physicalResourceId: cr.PhysicalResourceId.of(`${systemUser.username}-password-confirmation`),
  policy: cr.AwsCustomResourcePolicy.fromStatements([
    new iam.PolicyStatement({
      sid: "AllowSetPasswordForUser",
      effect: iam.Effect.ALLOW,
      actions: ["cognito-idp:AdminSetUserPassword"],
      resources: [
            region: "us-west-2",
            service: "cognito-idp",
            resource: "userpool",
            sep: "/",
            resourceName: systemUser.userPoolId,

This almost works, but it does not actually resolve the password to its value in Secrets Manager. In my case, it set the actual password to the literal string {{resolve:secretsmanager:arn:aws:secretsmanager:us-west-2:123456789:secret:auth/internal/MySystemUser-ABCDEF:SecretString:Password::}}.

Proposed Solution

It would be great if the custom resource code looked for {{resolve:secretsmanager}}-style references in the parameters passed to AwsCustomResource and resolved them to their underlying value.


  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

Issue Analytics

  • State:open
  • Created 3 years ago
  • Reactions:34
  • Comments:6 (5 by maintainers)

github_iconTop GitHub Comments

rix0rrrcommented, Aug 24, 2020

That is disappointing. One would have hoped that CloudFormation did this automatically

jogoldcommented, Aug 19, 2020

Indeed this is currently not supported in custom resources. This would require additional logic in the Lambda function implementing the AwsCustomResource.

Dynamic references for secure values, such as ssm-secure and secretsmanager, are not currently supported in custom resources.

Read more comments on GitHub >

github_iconTop Results From Across the Web

class AwsCustomResource (construct) · AWS CDK
A name for the singleton Lambda function implementing this custom resource. installLatestAwsSdk? boolean, Whether to install the latest AWS SDK v2. Allows to ......
Read more >
aws cdk - How to get a value from SecretString returned from ...
Using an AwsCustomResource allows them to override the region from stack. ... It always looks for parameter in stack's account.
Read more >
Implementing Custom Resources with AWS CDK - Medium
Custom Resources allow you to write custom logic in your CloudFormation ... CDK Implements the AWSCustomResource — a lambda-backed custom resource that uses ......
Read more >
Extending CloudFormation using lambda-backed custom ...
Custom resources enable you to write custom provisioning logic in ... name for the secrets which is added to the CF template as...
Read more >
@aws-cdk/custom-resources | Yarn - Package Manager
Validates handler return values to help with correct handler implementation; Supports asynchronous handlers to enable operations that require a long waiting ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found