Hi Team, I am using aws secret to store the client secret of my IDP provider, How can i attach the secret arn to idp provider param in cognito Currently i have added as #CDE799L1M variable. But this values will be visible in preview command, and action logs. This will cause security issue

other_secret_version = aws.secretsmanager.get_secret_version(
        secret_id=other_secret_arn,
    )
    other_secret = json.loads(other_secret_version.secret_string)

    google_idp = None
    if idp_config.get("google") and idp_config["google"].get("enabled", False):
        google_client_id = other_secret.get("GOOGLE_CLIENT_ID")
        google_client_secret = other_secret.get("GOOGLE_CLIENT_SECRET")
        if not google_client_id or not google_client_secret:
            raise ValueError(f"Google client ID and secret must be provided in the {other_secret_arn}.")

        google_idp = aws.cognito.IdentityProvider(
            f"{resource_prefix}-google-idp",
            user_pool_id=user_pool.id,
            provider_name="Google",
            provider_type="Google",
            provider_details={
                "client_id": google_client_id,
                "client_secret": google_client_secret,
                "authorize_scopes": idp_config["google"].get("authorize_scopes", "")
            },
            attribute_mapping=idp_config["google"].get("attribute_mapping", {})
        )

You could use Pulumi's

secret()

function, which will obfuscate the value in state. There are other ways of hiding secrets, but for the code you've got right now, this is the simplest fix. https://www.pulumi.com/docs/reference/pkg/python/pulumi/#pulumi.Output.secret