-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CDK construct validation error when trying use SSM Secure string reference - related to userpool identity provider #6819
Comments
I hit basically this issue the other day, and resorted to not using Somewhere in the docs I was reading that dynamic references in custom resources don't support secure strings yet either:
I haven't actually tried this yet though.. so maybe by calling the AWS SDK you can get it and use it.. may end up echoed into templates though, not sure. Somewhere I thought I read a post/comment on a GitHub issue where someone combined template parameters or similar with secure strings, but I can't actually find that anymore to see if it did actually solve this need. |
This is essentially the same issue as #6786. Cfn basically doesn't support referencing SecureStrings currently. I think there are a number of ways we could explore to get around this though, a custom resource being one. |
Hi Team, Any direction on this is appreciated! Getting the below error when trying to reference password (for self-managed AD configuration in FSx) stored as a Secure String in SSM. cdk diff passes but cdk deploy fails with this error -
Here's some code I'm using:
|
Same issue here also in Typescript! |
Same issue here with Python... exact same problem,, FSX windows self managed AD configuration, cant' pass the password from a secure parameter |
In the meantime you can keep sensitive values out of source control with pulling the value at synthesis, but depending on how you manage the CDK output and Cfn permissions this value will still be exposed. StringParameter.ValueFromLookup(this, "my-plain-parameter-name"); |
Why do the docs not mention that secure strings cannot be used in this way? It seems to imply that that is the purpose of these methods. What exactly is the use case of this code in that case?
https://docs.aws.amazon.com/cdk/latest/guide/get_ssm_value.html The |
This reverts commit eb4258d. The last build failed with SSM Secure reference is not supported in: [AWS::Cognito::UserPoolIdentityProvider/Properties/ProviderDetails/client_secret] Apparently "Cloudformation doesn't support referencing SecureString ssm params. This has been a known issue for awhile and we aren't sure if/when support will come." aws/aws-cdk#6786 (comment) aws/aws-cdk#6819
This issue has received a significant amount of attention so we are automatically upgrading its priority. A member of the community will see the re-prioritization and provide an update on the issue. |
Why is this not supported after all this time? |
for some use-cases cdk.SecretValue.ssmSecure() may be of help this also warns if you try to use it in an unsafe way |
I'd love to see that feature being implemented. |
FAILED, SSM Secure reference is not supported in: [AWS::Cognito::UserPoolIdentityProvider/Properties/ProviderDetails/client_secret] node:internal/errors:984
I'm trying to setup a user pool with okta secrets which are stored in ssm parameter store as secured strings.
I'm able to get the tokens as described here:
https://docs.aws.amazon.com/cdk/latest/guide/get_ssm_value.html#ssm_read
and i call the following function in a construct with these tokens:
aws_cognito.CfnUserPoolIdentityProvider
however, i get a cdk construct validation error:
SSM Secure reference is not supported in: [AWS::Cognito::UserPoolIdentityProvider/Properties/ProviderDetails/client_secret,AWS::Cognito::UserPoolIdentityProvider/Properties/ProviderDetails/client_id]
When I change the parameter type to just string (not secured), it works.
However, this is a big problem since this is an a client secret, stored as plaintext.
Proposed Solution
Implement the ability to use secured strings in this use-case :)
This is a 🚀 Feature Request
The text was updated successfully, but these errors were encountered: