How do I access the Cognito UserPoolClient Secret in Lambda function?

Question

I have created Cognito UserPool and UserpoolClient via Resources in serverless.yml file like this -

CognitoUserPool:
  Type: AWS::Cognito::UserPool
  Properties:
    AccountRecoverySetting:
      RecoveryMechanisms:
        - Name: verified_email
          Priority: 2
    UserPoolName: ${self:provider.stage}-user-pool
    UsernameAttributes:
      - email
    MfaConfiguration: OFF
    Policies:
      PasswordPolicy:
        MinimumLength: 8
        RequireLowercase: True
        RequireNumbers: True
        RequireSymbols: True
        RequireUppercase: True

CognitoUserPoolClient:
  Type: AWS::Cognito::UserPoolClient
  Properties:
    ClientName: ${self:provider.stage}-user-pool-client
    UserPoolId:
      Ref: CognitoUserPool
    ExplicitAuthFlows:
      - ALLOW_USER_PASSWORD_AUTH
      - ALLOW_REFRESH_TOKEN_AUTH
    GenerateSecret: true

Now I can pass the Userpool and UserpoolClient as environment variables to the lambda functions like this -

my_function:
  package: {}
  handler: 
  events:
    - http:
      path:<path>
      method: post
      cors: true
  environment:
    USER_POOL_ID: !Ref CognitoUserPool
    USER_POOL_CLIENT_ID: !Ref CognitoUserPoolClient

I can access these IDs in my code as -

USER_POOL_ID = os.environ['USER_POOL_ID']
USER_POOL_CLIENT_ID = os.environ['USER_POOL_CLIENT_ID']

I have printed the values and they are being printed correctly. However, UserpoolClient also generates one AppClient secret which I need to use while generating secret hash. How shall I access app client secret (UserpoolClient's secret) in my lambda?

Answer 1

Probably now what you hoped for, but you cannot export client secret in CloudFormation explicitly. Take a look at the return values from AWS::Cognito::UserPoolClient. There you can only get the client ID.

What you could do is to create the client in another CF template and either create there a custom resource to read the secret and output it, or have an intermediate step where you get this value with CLI and then pass it into serverless.

There is currently no other option.