Feature request: Support getting external registry credentials from secrets/parameter store

[Hi-Fi]

Currently construct takes username and password as plain text parameter, which then end up plain text to both CloudFormation template and also at every lambda execution to CloudWatch logs.

It would be possible to be able to read those values from secrets manager, and be able to add those in a way that CDK would handle adding the needed policies.

I think setting requires following things:

• Secret name/ARN
• key for username
• key for password

References

• https://aws.amazon.com/blogs/compute/creating-aws-lambda-environmental-variables-from-aws-secrets-manager/
• https://github.com/aws-samples/aws-lambda-environmental-variables-from-aws-secrets-manager

[wchaws]

@Hi-Fi Thanks for your nice request. The feature is meaningful. I will support that in the next release. PR is welcomed as well.

[Hi-Fi]

@wchaws If would have time for creation for PR, how do you see this should be done?

• As in blog post using the separate layer for secrets
• Including direct calls to secrets manager (and probably parameter store?) to current lambda code (as done in e.g. https://github.com/awslabs/ssosync/blob/master/internal/config/secrets.go)

Maybe latter would be clearer and easier to read?

[wchaws]

@Hi-Fi I would prefer to the 2nd approach.