No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hi! I'm trying to use AWS SecretsManager with an ECS service I'm provisioning. In the few places that receive a secret ARN, the pulumi typescript expects a `string` rather than an `Output&lt;string&gt;` . We'd expect it to accept `string | Output&lt;string&gt;`, so that we can dynamically assign it from a `new aws.secretsmanager.Secret`.

Hey! can you share the code you have currently so I can visualize what you're saying

I can post snippets. The main repo is not open source.

```  const service = new awsx.ecs.EC2Service(ecsName, {
    cluster,
    desiredCount: 1,
    deploymentMinimumHealthyPercent: 0,
    subnets: args.vpc.privateSubnetIds,
    taskDefinitionArgs: {
      containers: {
        [name]: {
          image: imageUrl,
          repositoryCredentials: {
            credentialsParameter: config.privateRegistrySecretArn,
          },
          memory: 128,
          portMappings: [],
          secrets: [{ name: 'SECRETS', valueFrom: config.applicationSecretArn }],
          environment: [{ name: 'ENVIRONMENT', value: config.environment }],
        },
      },
      executionRole: executionRole,
      taskRole: taskRole,
    },
  });```

Here is the ECS snippet that I’ve arrived at. In the `secrets` list and in the `credentialsParameter`, I am referencing the ARN of secrets in AWS secrets manager.

My first pass was to create the secret using Pulumi.

```const applicationSecret = new aws.secretsmanager.Secret('app-secret', {});```

so in place of `config.applicationSecretArn` I wanted to use `applicationSecret.arn` , or if that wouldn’t work wrap it in `pulumi.interpolate`.

The problem is that `applicationSecret.arn` returns a promise, and `pulumi.interpolate` returns an `Output&lt;string&gt;`, but for both `credentialsParameter` and `valueFrom` the only valid type is `string`.

ah, _think_ I'm following. It's difficult to allow things like `taskDefinitionArgs` to take an output because of the upstream schema - outputs are reserved really for things now known until after compile time. I suspect there's a technical reason why we can't allow `Output[string]` here (cc <@UB3BGTV63>?) but I don't know it off the top of my head.

In any case, you should be able to achieve what you need using an `apply`.

This is being tracked in <https://github.com/pulumi/pulumi-awsx/issues/453> and has a couple options for workarounds in the comments there, FYI.

Awesome, that link is very helpful! I was playing with apply, but hadn’t realized that it could be used at the level of the `secrets` key.