Add secret() support for SAML metadata in defineAuth() #3088
Description
Environment information
System:
OS: macOS 15.7.3
CPU: (10) arm64 Apple M4
Memory: 193.72 MB / 16.00 GB
Shell: /bin/bash
Binaries:
Node: 22.21.1 - /usr/local/bin/node
Yarn: 1.22.22 - /usr/local/bin/yarn
npm: 10.9.4 - /usr/local/bin/npm
pnpm: 10.17.1 - /usr/local/bin/pnpm
NPM Packages:
@aws-amplify/auth-construct: 1.10.0
@aws-amplify/backend: 1.19.0
@aws-amplify/backend-ai: Not Found
@aws-amplify/backend-auth: 1.9.0
@aws-amplify/backend-cli: 1.8.1
@aws-amplify/backend-data: 1.6.2
@aws-amplify/backend-deployer: 2.1.4
@aws-amplify/backend-function: 1.15.2
@aws-amplify/backend-output-schemas: 1.7.1
@aws-amplify/backend-output-storage: 1.3.2
@aws-amplify/backend-secret: 1.4.2
@aws-amplify/backend-storage: 1.4.2
@aws-amplify/cli-core: 2.2.3
@aws-amplify/client-config: 1.9.1
@aws-amplify/data-construct: 1.16.3
@aws-amplify/data-schema: 1.22.1
@aws-amplify/deployed-backend-client: 1.8.1
@aws-amplify/form-generator: 1.2.6
@aws-amplify/model-generator: 1.2.2
@aws-amplify/platform-core: 1.10.3
@aws-amplify/plugin-types: 1.11.1
@aws-amplify/sandbox: 2.1.4
@aws-amplify/schema-generator: 1.4.1
@aws-cdk/toolkit-lib: 1.6.1
aws-amplify: 6.15.9
aws-cdk-lib: 2.216.0
typescript: 5.9.3
No AWS environment variables
No CDK environment variables
Describe the feature
Currently, Amplify Gen 2's secret() function works with OAuth provider credentials (clientId, clientSecret) but not with SAML metadataContent. This creates an inconsistency and forces developers to use environment variables for SAML metadata URLs, which are less secure than secrets stored in AWS Systems Manager Parameter Store.
import { defineAuth, secret } from '@aws-amplify/backend';
export const auth = defineAuth({
loginWith: {
email: true,
externalProviders: {
saml: {
name: 'MicrosoftEntraIDSAML',
metadata: {
metadataType: 'URL',
metadataContent: secret('AZURE_AD_SAML_METADATA_URL'), // ❌ Fails with CDK assembly error
},
},
},
},
});
Resolution error: Cannot read properties of undefined (reading 'tryFindChild')
Current workaround (less secure) and Alternative Solutions
- using env variable
metadataContent: process.env.ENTRA_ID_METADATA_URL!,
- using custom CDK with SSM parameter store
aws ssm put-parameter \
--name "/amplify/shared/AZURE_AD_SAML_METADATA_URL" \
--value "https://login.microsoftonline.com/your-tenant-id/federationmetadata/2007-06/federationmetadata.xml" \
--type "String" \
import { defineAuth } from '@aws-amplify/backend';
export const auth = defineAuth({
loginWith: {
email: true,
externalProviders: {
callbackUrls: ['http://localhost:3000/'],
logoutUrls: ['http://localhost:3000/'],
},
},
});
import { defineBackend } from '@aws-amplify/backend';
import { auth } from './auth/resource';
import * as cognito from 'aws-cdk-lib/aws-cognito';
import * as ssm from 'aws-cdk-lib/aws-ssm';
const backend = defineBackend({
auth,
});
const metadataUrl = ssm.StringParameter.valueForStringParameter(
backend.auth.resources.userPool.stack,
'/amplify/shared/AZURE_AD_SAML_METADATA_URL'
);
new cognito.CfnUserPoolIdentityProvider(backend.auth.resources.userPool.stack, 'SamlIdp', {
userPoolId: backend.auth.resources.userPool.userPoolId,
providerName: 'MicrosoftEntraIDSAML',
providerType: 'SAML',
providerDetails: {
MetadataURL: metadataUrl,
},
});
- Environment variables - Less secure, values visible in build logs
- Hard-coding URLs - Not suitable for multi-environment deployments
- Custom CDK constructs - Defeats the purpose of using Amplify Gen 2's simplified API
Use case
-
OAuth providers already support secret() for clientId and clientSecret
-
SAML metadata URLs can contain sensitive tenant information
-
Consistency across all external provider configurations would improve developer experience
-
This aligns with AWS security best practices for storing sensitive configuration
export const auth = defineAuth({
loginWith: {
email: true,
externalProviders: {
saml: {
name: 'MicrosoftEntraIDSAML',
metadata: {
metadataType: 'URL',
metadataContent: secret('AZURE_AD_SAML_METADATA_URL'), // ✅ Should work
},
},
},
},
});