Hi Team, I am using aws secret to store the client secret of my IDP provider, How can i attach the secret arn to idp provider param in cognito Currently i have added as #CDE799L1M variable. But this values will be visible in preview command, and action logs. This will cause security issue

other_secret_version = aws.secretsmanager.get_secret_version(
        secret_id=other_secret_arn,
    )
    other_secret = json.loads(other_secret_version.secret_string)

    google_idp = None
    if idp_config.get("google") and idp_config["google"].get("enabled", False):
        google_client_id = other_secret.get("GOOGLE_CLIENT_ID")
        google_client_secret = other_secret.get("GOOGLE_CLIENT_SECRET")
        if not google_client_id or not google_client_secret:
            raise ValueError(f"Google client ID and secret must be provided in the {other_secret_arn}.")

        google_idp = aws.cognito.IdentityProvider(
            f"{resource_prefix}-google-idp",
            user_pool_id=user_pool.id,
            provider_name="Google",
            provider_type="Google",
            provider_details={
                "client_id": google_client_id,
                "client_secret": google_client_secret,
                "authorize_scopes": idp_config["google"].get("authorize_scopes", "")
            },
            attribute_mapping=idp_config["google"].get("attribute_mapping", {})
        )

You can mark arbitrary values as secret with

pulumi.Output.secret

(https://www.pulumi.com/docs/reference/pkg/python/pulumi/#pulumi.Output.secret) They'll then be hidden from the display by default.