How to force CDK to resolve pre-existing SecretValues at synthesis time (in lambda docker bundling)

[PeterBaker0]

I really like the lambda.Code.from_asset with the Docker bundling options enabled. This allows deployment time bundling of pip dependencies with minimal local or deployment depedencies.

However, I am trying to setup my requirements file to pull github packages which require authorization through an oauth token. The idea is to pipe this token into the environment. This works locally and I have stored the token on secrets manager.

I can pull the secret from secrets manager wtih SecretValue('cdk-github-token') but I cannot get the BundlingOptions environment parameter to resolve the token into the actual secret value so that the pip install can pull from the github https address. The environment is receiving token strings like "${Token[TOKEN.204]}".

The work around I am currently using is to pull the secret with the boto3 sdk and include that as the environment variable in the bundling options. This is quite non ideal as I have to be quite careful about authorization etc for local deployments as boto's sessions won't pickup the user SSO profile automatically. Feels quite fragile in comparison to usual CDK experience.

In short is there a way to force CDK to resolve secrets at synthesis time so that they can be used as environment variables in bundling processes?.

[indrora]

Using boto3 to pull the live value during synthesis is one way to go. A few other options might include using AWS EC2 Image Builder to build your container in the cloud or setting up a deployment role that is used for this purpose.

This is an unfortunate reality in the process of building and deploying through the CDK: if CloudFormation can't resolve it in the CFN template at deploy time from just yaml/json then you have to statically embed it into the template or work around it.

[pahud]

@PeterBaker0

Maybe write a wrapper script like this as AWS CLI goes with SSO profile pretty well.

#!/bin/bash

token=$(aws secretsmanager get-secret-value --secret-id=MySecret --query 'SecretString' --output=text)
npx cdk deploy -c token=${token}

And in your CDK app, you can retrieve the token context variable by tryGetContext and just assign it to your bundling environments.

I am not 100% sure if the plaintext token will be stored in the synthesized template under cdk.out. Better check it out for security.

[andreprawira]

@PeterBaker0 any concrete solution you found? im also stuck in this problem

[PeterBaker0]

I am still using the same work around which is just to directly resolve the secret with the boto3 sdk. I think the answer above could be nicer.

I am having similar and more pressing issues with the ECS image build not being able to accept secrets.