Search code examples
amazon-web-servicesaws-cloudformationamazon-cognitoserverless

AWS + Serverless - how to get at the secret key generated by cognito user pool


I've been following the serverless tutorial at https://serverless-stack.com/chapters/configure-cognito-user-pool-in-serverless.html

I've got the following serverless yaml snippit

Resources:
  CognitoUserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      # Generate a name based on the stage
      UserPoolName: ${self:custom.stage}-moochless-user-pool
      # Set email as an alias
      UsernameAttributes:
      - email
      AutoVerifiedAttributes:
      - email

  CognitoUserPoolClient:
    Type: AWS::Cognito::UserPoolClient
    Properties:
      # Generate an app client name based on the stage
      ClientName: ${self:custom.stage}-user-pool-client
      UserPoolId:
        Ref: CognitoUserPool
      ExplicitAuthFlows:
      - ADMIN_NO_SRP_AUTH
      # >>>>> HOW DO I GET THIS VALUE IN OUTPUT <<<<<
      GenerateSecret: true

# Print out the Id of the User Pool that is created
Outputs:
  UserPoolId:
    Value:
      Ref: CognitoUserPool

  UserPoolClientId:
    Value:
      Ref: CognitoUserPoolClient
  #UserPoolSecret:
  #   WHAT GOES HERE?

I'm exporting all my other config variables to a json file (to be consumed by a mobile app, so I need the secret key).

How do I get the secret key generated to appear in my output list?


Solution

  • The ideal way to retrieve the secret key is to use "CognitoUserPoolClient.ClientSecret" in your cloudformation template.

    UserPoolClientIdSecret:
      Value:    
       !GetAtt CognitoUserPoolClient.ClientSecret
    

    But it is not supported as explained here and gives message as shown in the image:Not supported You can run below CLI command to retrieve the secret key as a work around:

    aws cognito-idp describe-user-pool-client --user-pool-id "us-west-XXXXXX"  --region us-west-2 --client-id "XXXXXXXXXXXXX" --query 'UserPoolClient.ClientSecret' --output text