Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UserPoolClient - Retrieving the client secret requires an unnecessary custom resource #28785

Open
mttwise opened this issue Jan 19, 2024 · 1 comment
Open

UserPoolClient - Retrieving the client secret requires an unnecessary custom resource #28785

mttwise opened this issue Jan 19, 2024 · 1 comment
Labels
@aws-cdk/aws-cognito Related to Amazon Cognito bug This issue is a bug. effort/medium Medium work item – several days of effort p3

Comments

@mttwise
Copy link

mttwise commented Jan 19, 2024
edited
Loading

Describe the bug

A change was merged previously to CDK to support a workaround for getting the client secret. This custom resource requires someone deploying a stack with only cognito to have a VPC attachment to the custom resource for accounts with SCPs limiting lambdas to have to run in a VPC.

Expected Behavior

Native CFN is used to get Cognito Client Secrets

Current Behavior

As implemented here, a custom resource is used to get the client secret:
https://github.com/aws/aws-cdk/pull/21262/files#diff-9713362aa6af827d0bf2a8c68319b5bb9c74f888f9ab417266ff1b98aa121ae2R429

Reproduction Steps

create a cognito app client w/ secret

self.client = user_pool.add_client(
            "service-client",
            user_pool_client_name="service-client",
            supported_identity_providers=[
                aws_cognito.UserPoolClientIdentityProvider.COGNITO
            ],
            o_auth=self.o_auth_settings,
            auth_flows=aws_cognito.AuthFlow(
                user_srp=True,
            ),
            refresh_token_validity=Duration.days(1),
            generate_secret=True,
        )

self.my_secret = SecretValue.unsafe_unwrap(self.client.user_pool_client_secret)

Possible Solution

Since the CFN Attribute was fixed in 2023,
Remove the custom resource and instead generate the following CFN during synth to access the client secret:

"UserPoolClientIdSecret":{
    "Value": {
        "Fn::GetAtt": ["CognitoUserPoolClient", "ClientSecret"]
    }
}

Additional Information/Context

No response

CDK CLI Version

2.117.0

Framework Version

No response

Node.js Version

v18.17.1

OS

OSX Sonoma

Language

Python

Language Version

3.10.11

Other information

No response
@mttwise mttwise added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 19, 2024
@github-actions github-actions bot added the @aws-cdk/aws-cognito Related to Amazon Cognito label Jan 19, 2024
@laurelmay laurelmay mentioned this issue Jan 21, 2024
Closed
@pahud
Copy link
Contributor

pahud commented Jan 22, 2024

It's great to simplify this and great to see #28800 WIP.

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jan 22, 2024
@github-actions github-actions bot mentioned this issue Feb 1, 2024
Closed
@pahud pahud added p3 and removed p2 labels Jun 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-cognito Related to Amazon Cognito bug This issue is a bug. effort/medium Medium work item – several days of effort p3
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(cognito): getting user pool client secret creates unnecessary custom resource laurelmay/aws-cdk
2 participants
@pahud @mttwise