CDK construct validation error when trying use SSM Secure string reference - related to userpool identity provider

[ran-isenberg]

I'm trying to setup a user pool with okta secrets which are stored in ssm parameter store as secured strings.
I'm able to get the tokens as described here:
https://docs.aws.amazon.com/cdk/latest/guide/get_ssm_value.html#ssm_read
and i call the following function in a construct with these tokens:
aws_cognito.CfnUserPoolIdentityProvider

however, i get a cdk construct validation error:
SSM Secure reference is not supported in: [AWS::Cognito::UserPoolIdentityProvider/Properties/ProviderDetails/client_secret,AWS::Cognito::UserPoolIdentityProvider/Properties/ProviderDetails/client_id]

When I change the parameter type to just string (not secured), it works.
However, this is a big problem since this is an a client secret, stored as plaintext.

Proposed Solution

Implement the ability to use secured strings in this use-case :)

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[0xdevalias]

(This should be labelled to be tracked against #6765 as well)

I hit basically this issue the other day, and resorted to not using SecureString for the time being. I thought about using an AwsCustomResource to solve for this:

• https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_custom-resources.AwsCustomResource.html

---

Somewhere in the docs I was reading that dynamic references in custom resources don't support secure strings yet either:

• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html

Dynamic references for secure values, such as ssm-secure and secretsmanager, are not currently supported in custom resources.

I haven't actually tried this yet though.. so maybe by calling the AWS SDK you can get it and use it.. may end up echoed into templates though, not sure.

---

Somewhere I thought I read a post/comment on a GitHub issue where someone combined template parameters or similar with secure strings, but I can't actually find that anymore to see if it did actually solve this need.

[MrArnoldPalmer]

This is essentially the same issue as #6786. Cfn basically doesn't support referencing SecureStrings currently.

I think there are a number of ways we could explore to get around this though, a custom resource being one.

[dhruvdakoria]

Hi Team,

Any direction on this is appreciated! Getting the below error when trying to reference password (for self-managed AD configuration in FSx) stored as a Secure String in SSM. cdk diff passes but cdk deploy fails with this error -

ValidationError: SSM Secure reference is not supported in: [AWS::FSx::FileSystem/Properties/WindowsConfiguration/SelfManagedActiveDirectoryConfiguration/Password]

Here's some code I'm using:

var ssmpath = props.windowsConfiguration.selfManagedActiveDirectoryConfiguration["password"];
const encryptionKey=kms.Key.fromKeyArn(this, 'kms-key', 'arn:aws:kms:'+Stack.of(this).region+':'+Stack.of(this).account+':key/'+kmsKeyId);

const getParameter =  ssm.StringParameter.fromSecureStringParameterAttributes(this, 'MySecureValue', {
            parameterName: ssmpath,
            version: 1,
            encryptionKey: encryptionKey,
          });
winConfigUpdWithPassword.selfManagedActiveDirectoryConfiguration["password"] = getParameter.stringValue;

[leantorres73]

Same issue here also in Typescript!