Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CDK construct validation error when trying use SSM Secure string reference - related to userpool identity provider #6819

Open
2 tasks
ran-isenberg opened this issue Mar 19, 2020 · 12 comments
Labels
@aws-cdk/aws-ssm Related to AWS Systems Manager effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1

Comments

@ran-isenberg
Copy link

I'm trying to setup a user pool with okta secrets which are stored in ssm parameter store as secured strings.
I'm able to get the tokens as described here:
https://docs.aws.amazon.com/cdk/latest/guide/get_ssm_value.html#ssm_read
and i call the following function in a construct with these tokens:
aws_cognito.CfnUserPoolIdentityProvider

however, i get a cdk construct validation error:
SSM Secure reference is not supported in: [AWS::Cognito::UserPoolIdentityProvider/Properties/ProviderDetails/client_secret,AWS::Cognito::UserPoolIdentityProvider/Properties/ProviderDetails/client_id]

When I change the parameter type to just string (not secured), it works.
However, this is a big problem since this is an a client secret, stored as plaintext.

Proposed Solution

Implement the ability to use secured strings in this use-case :)

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

@ran-isenberg ran-isenberg added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Mar 19, 2020
@SomayaB SomayaB added @aws-cdk/aws-cognito Related to Amazon Cognito @aws-cdk/aws-ssm Related to AWS Systems Manager labels Mar 19, 2020
@0xdevalias
Copy link
Contributor

0xdevalias commented Mar 19, 2020

(This should be labelled to be tracked against #6765 as well)

I hit basically this issue the other day, and resorted to not using SecureString for the time being. I thought about using an AwsCustomResource to solve for this:


Somewhere in the docs I was reading that dynamic references in custom resources don't support secure strings yet either:

Dynamic references for secure values, such as ssm-secure and secretsmanager, are not currently supported in custom resources.

I haven't actually tried this yet though.. so maybe by calling the AWS SDK you can get it and use it.. may end up echoed into templates though, not sure.


Somewhere I thought I read a post/comment on a GitHub issue where someone combined template parameters or similar with secure strings, but I can't actually find that anymore to see if it did actually solve this need.

@MrArnoldPalmer MrArnoldPalmer added effort/medium Medium work item – several days of effort p1 and removed needs-triage This issue or PR still needs to be triaged. @aws-cdk/aws-cognito Related to Amazon Cognito labels Mar 26, 2020
@MrArnoldPalmer
Copy link
Contributor

This is essentially the same issue as #6786. Cfn basically doesn't support referencing SecureStrings currently.

I think there are a number of ways we could explore to get around this though, a custom resource being one.

@dhruvdakoria
Copy link
Contributor

Hi Team,

Any direction on this is appreciated! Getting the below error when trying to reference password (for self-managed AD configuration in FSx) stored as a Secure String in SSM. cdk diff passes but cdk deploy fails with this error -

ValidationError: SSM Secure reference is not supported in: [AWS::FSx::FileSystem/Properties/WindowsConfiguration/SelfManagedActiveDirectoryConfiguration/Password]

Here's some code I'm using:

var ssmpath = props.windowsConfiguration.selfManagedActiveDirectoryConfiguration["password"];
const encryptionKey=kms.Key.fromKeyArn(this, 'kms-key', 'arn:aws:kms:'+Stack.of(this).region+':'+Stack.of(this).account+':key/'+kmsKeyId);

const getParameter =  ssm.StringParameter.fromSecureStringParameterAttributes(this, 'MySecureValue', {
            parameterName: ssmpath,
            version: 1,
            encryptionKey: encryptionKey,
          });
winConfigUpdWithPassword.selfManagedActiveDirectoryConfiguration["password"] = getParameter.stringValue;

@leantorres73
Copy link

Same issue here also in Typescript!

@mrpackethead
Copy link

Same issue here with Python... exact same problem,, FSX windows self managed AD configuration, cant' pass the password from a secure parameter

@tevans-submittable
Copy link

tevans-submittable commented Jun 8, 2021

In the meantime you can keep sensitive values out of source control with pulling the value at synthesis, but depending on how you manage the CDK output and Cfn permissions this value will still be exposed.

StringParameter.ValueFromLookup(this, "my-plain-parameter-name");

@MrArnoldPalmer MrArnoldPalmer removed their assignment Jun 21, 2021
@HeskethGD
Copy link

Why do the docs not mention that secure strings cannot be used in this way? It seems to imply that that is the purpose of these methods. What exactly is the use case of this code in that case?

// Get specified version of secure string attribute const secureStringToken = ssm.StringParameter.valueForSecureStringParameter( this, 'my-secure-parameter-name', 1); // must specify version

https://docs.aws.amazon.com/cdk/latest/guide/get_ssm_value.html

The StringParameter.ValueFromLookup(this, "my-plain-parameter-name"); approach only works with plain strings not secure strings.

@PatMyron
Copy link
Contributor

PatMyron commented Mar 10, 2022

douglasnaphas added a commit to douglasnaphas/madliberation that referenced this issue Mar 8, 2024
This reverts commit eb4258d.

The last build failed with

SSM Secure reference is not supported in:
[AWS::Cognito::UserPoolIdentityProvider/Properties/ProviderDetails/client_secret]

Apparently "Cloudformation doesn't support referencing SecureString ssm
params. This has been a known issue for awhile and we aren't sure
if/when support will come."

aws/aws-cdk#6786 (comment)
aws/aws-cdk#6819
@pahud pahud added p2 and removed p1 labels Jun 11, 2024
Copy link

This issue has received a significant amount of attention so we are automatically upgrading its priority. A member of the community will see the re-prioritization and provide an update on the issue.

@github-actions github-actions bot added p1 and removed p2 labels Jun 16, 2024
@jasonrdunne
Copy link

jasonrdunne commented Aug 3, 2024

Why is this not supported after all this time?

@dennisvang
Copy link

dennisvang commented Aug 30, 2024

for some use-cases cdk.SecretValue.ssmSecure() may be of help

this also warns if you try to use it in an unsafe way

@kucharzyk-sebastian
Copy link

I'd love to see that feature being implemented.

garyy7811 pushed a commit to ondemandenv/user-pool that referenced this issue Dec 22, 2024
FAILED, SSM Secure reference is not supported in: [AWS::Cognito::UserPoolIdentityProvider/Properties/ProviderDetails/client_secret]
node:internal/errors:984
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-ssm Related to AWS Systems Manager effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1
Projects
None yet
Development

No branches or pull requests