Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

UserPoolClient - Retrieve the client secret

See original GitHub issue

_Forking off https://github.com/aws/aws-cdk/issues/3037_

I’m not sure if this is the right place, but in my use case, I’d like to authenticate with cognito from an application load balancer action using a secret generated via a UserPoolClient or CfnUserPoolClient.

It doesn’t seem clear how the oidc client secret can be gotten from the UserPoolClient and given to the application load balancer rule actions, as I seem to get a nonsense value from from the UserPoolClient.userPoolClientClientSecret property.

Apparently there was a ClientSecret attribute documented on UserPoolClient resources at one point. I’m not sure what happened.

https://github.com/awsdocs/aws-cloudformation-user-guide/issues/72

_Originally posted by @misterjoshua in https://github.com/aws/aws-cdk/issues/3037#issuecomment-592275074_

Issue Analytics

State:
Created 3 years ago
Reactions:28
Comments:16 (8 by maintainers)

Top GitHub Comments

31reactions

nija-atcommented, Apr 7, 2020

_Originally posted by @0xdevalias in https://github.com/aws/aws-cdk/issues/3037#issuecomment-601427972_

As a followup to @dveijck’s post above replying to @misterjoshua; CDK has a really short/convenient syntax for custom resources that just need to call AWS SDK functions:

A basic example (untested for this use case exactly) derived from some similar code I wrote recently:

const describeCognitoUserPoolClient = new cr.AwsCustomResource(
      this,
      'DescribeCognitoUserPoolClient',
      {
        resourceType: 'Custom::DescribeCognitoUserPoolClient',
        onCreate: {
          region: 'us-east-1',
          service: 'CognitoIdentityServiceProvider',
          action: 'describeUserPoolClient',
          parameters: {
            UserPoolId: userPool.userPoolId,
            ClientId: userPoolClient.userPoolClientId,
          },
          physicalResourceId: cr.PhysicalResourceId.of(userPoolClient.userPoolClientId),
        },
        // TODO: can we restrict this policy more?
        policy: cr.AwsCustomResourcePolicy.fromSdkCalls({
          resources: cr.AwsCustomResourcePolicy.ANY_RESOURCE,
        }),
      }
    )

    const userPoolClientSecret = describeCognitoUserPoolClient.getResponseField(
      'UserPoolClient.ClientSecret'
    )
    new cdk.CfnOutput(this, 'UserPoolClientSecret', {
      value: userPoolClientSecret,
    })

6reactions

TassoKarkanisAGMTcommented, Aug 2, 2022

Here is @0xdevalias’s solution again, this time in Python:

    def get_user_pool_client_secret(self, pool, client):
        # Maybe a method on the user pool client will be supported soon:
        #
        #  https://github.com/aws/aws-cdk/issues/7225
        
        client_cr = cr.AwsCustomResource(
            self, "CognitoUserPoolDescribeClient",
            function_name="DescribeCognitoUserPoolClient",
            resource_type="Custom::DescribeCognitoUserPoolClient",
            on_create=cr.AwsSdkCall(
                region="us-east-2",
                service="CognitoIdentityServiceProvider",
                action="describeUserPoolClient",
                parameters={
                    "UserPoolId": pool.user_pool_id,
                    "ClientId": client.user_pool_client_id,
                },
                physical_resource_id=cr.PhysicalResourceId.of(client.user_pool_client_id),
            ),
            policy=cr.AwsCustomResourcePolicy.from_sdk_calls(
                resources=cr.AwsCustomResourcePolicy.ANY_RESOURCE
            )
        )

        return client_cr.get_response_field("UserPoolClient.ClientSecret")

A method would be great.