No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hey! can you share the code you have currently so I can visualize what you're saying

I can post snippets. The main repo is not open source.

```  const service = new awsx.ecs.EC2Service(ecsName, {
    cluster,
    desiredCount: 1,
    deploymentMinimumHealthyPercent: 0,
    subnets: args.vpc.privateSubnetIds,
    taskDefinitionArgs: {
      containers: {
        [name]: {
          image: imageUrl,
          repositoryCredentials: {
            credentialsParameter: config.privateRegistrySecretArn,
          },
          memory: 128,
          portMappings: [],
          secrets: [{ name: 'SECRETS', valueFrom: config.applicationSecretArn }],
          environment: [{ name: 'ENVIRONMENT', value: config.environment }],
        },
      },
      executionRole: executionRole,
      taskRole: taskRole,
    },
  });```

Here is the ECS snippet that I’ve arrived at. In the `secrets` list and in the `credentialsParameter`, I am referencing the ARN of secrets in AWS secrets manager.

My first pass was to create the secret using Pulumi.

```const applicationSecret = new aws.secretsmanager.Secret('app-secret', {});```

so in place of `config.applicationSecretArn` I wanted to use `applicationSecret.arn` , or if that wouldn’t work wrap it in `pulumi.interpolate`.

The problem is that `applicationSecret.arn` returns a promise, and `pulumi.interpolate` returns an `Output&lt;string&gt;`, but for both `credentialsParameter` and `valueFrom` the only valid type is `string`.

ah, _think_ I'm following. It's difficult to allow things like `taskDefinitionArgs` to take an output because of the upstream schema - outputs are reserved really for things now known until after compile time. I suspect there's a technical reason why we can't allow `Output[string]` here (cc <@UB3BGTV63>?) but I don't know it off the top of my head.

In any case, you should be able to achieve what you need using an `apply`.

This is being tracked in <https://github.com/pulumi/pulumi-awsx/issues/453> and has a couple options for workarounds in the comments there, FYI.

Awesome, that link is very helpful! I was playing with apply, but hadn’t realized that it could be used at the level of the `secrets` key.