Remove NoEcho option from Parameter

[azend]

The NoEcho option on the DataHubAccessToken prevents the parameter from being accessible in resources within the Cloudformation template. This bugfix removes the NoEcho option which makes the parameter accessible but with the tradeoff that the token is accessible as plain text within the AWS context. While this bugfix stabilizes a failing template, an alternative solution which better handles secret values should be next steps.

[pedro93]

token is accessible as plain text within the AWS context

Do you mean that it appears in the cloudformation stack details?

an alternative solution which better handles secret values should be next steps.
Do you have suggestions we can look into?

[azend]

token is accessible as plain text within the AWS context

Do you mean that it appears in the cloudformation stack details?

I do. It is available in the Parameters tab of the deployed stack.

an alternative solution which better handles secret values should be next steps. Do you have suggestions we can look into?

AWS currently recommends using a feature called dynamic references which allows Cloudformation stack templates to access secrets configured in advance in Parameter Store or Secrets Manager. This isn't much different to what the current Cloudformation stack does except for a difference in order. The current stack template requires a token as a parameter then builds a secret secret in Secrets Manager.

[pedro93]

AWS currently recommends using a feature called dynamic references which allows Cloudformation stack templates to access secrets configured in advance in Parameter Store or Secrets Manager. This isn't much different to what the current Cloudformation stack does except for a difference in order. The current stack template requires a token as a parameter then builds a secret secret in Secrets Manager.

Please add a backlog item for this then. I would rather we go for recommend approaches than this trade-off.