How to pass Cognito UserPoolID, client secret to AWS Lambda during Cloudformation script execution?

Question

I create Cloudformation script which creates AWS Cognito and deploys a set of AWS Lambda. Cloudformation yaml looks like below:

  UserPool:
    Type: "AWS::Cognito::UserPool"
    Properties:
      UserPoolName:  !Sub ${EnvPrefix}-smartshoesuserpool
      Policies:
        PasswordPolicy:
          MinimumLength: 8
          RequireUppercase: true
          RequireLowercase: true
          RequireNumbers: true
          RequireSymbols: true
          TemporaryPasswordValidityDays: 7
      AutoVerifiedAttributes:
        - email
      AliasAttributes:
        - email
      EmailVerificationMessage: 'Your verification code is {####}. '
      EmailVerificationSubject: Your verification code
      VerificationMessageTemplate:
        EmailMessage: 'Your verification code is {####}. '
        EmailSubject: Your verification code
        DefaultEmailOption: CONFIRM_WITH_CODE
      MfaConfiguration: 'OFF'
      EmailConfiguration:
        EmailSendingAccount: COGNITO_DEFAULT
      AdminCreateUserConfig:
        AllowAdminCreateUserOnly: false
        InviteMessageTemplate:
          SMSMessage: 'Your username is {username} and temporary password is {####}. '
          EmailMessage: 'Your username is {username} and temporary password is {####}. '
          EmailSubject: Your temporary password
      UsernameConfiguration:
        CaseSensitive: false
      AccountRecoverySetting:
        RecoveryMechanisms:
        - Priority: 1
          Name: verified_email
        - Priority: 2
          Name: verified_phone_number
      UserPoolTags:
        Creator: !Ref CreatorUsername
        Environment:  !Ref EnvPrefix
      
  # User Pool client  
  # eksport z uzyciem: aws cognito-idp describe-user-pool-client --user-pool-id eu-central-1_E5ZQHWb1N --client-id 7oasfnq1cld9sh4jajjap2g80p
  UserPoolClient:
    Type: "AWS::Cognito::UserPoolClient"
    Properties:
      UserPoolId: !Ref UserPool
      ClientName: !Sub ${EnvPrefix}-smartshoesuserpoolclient
      RefreshTokenValidity: 30
      ReadAttributes:
      - email
      - email_verified
      WriteAttributes:
      - email
      ExplicitAuthFlows:
      - ALLOW_ADMIN_USER_PASSWORD_AUTH
      - ALLOW_CUSTOM_AUTH
      - ALLOW_REFRESH_TOKEN_AUTH
      - ALLOW_USER_PASSWORD_AUTH
      - ALLOW_USER_SRP_AUTH
      AllowedOAuthFlowsUserPoolClient: false
      PreventUserExistenceErrors: ENABLED

Simply it create UserPool and UserPoolClient. But I have a problem because in Lambda function I have to know UserPoolId, UserClientId and ClientSecret and I have not found method to get this values inside Clorudformation yaml. I can write short Python program using Boto3 that search UserPool and other values but I cannot execute it inside yaml. How do you get theses parameters and 'inject' to Lambda function during deployment phase?

.....
def initiate_auth(client, username, password):
  secret_hash = get_secret_hash(username)
    try:
      resp = client.admin_initiate_auth(
                 UserPoolId=USER_POOL_ID,
                 ClientId=CLIENT_ID,
                 AuthFlow='ADMIN_NO_SRP_AUTH',
                 AuthParameters={
                     'USERNAME': username,
                     'SECRET_HASH': secret_hash,
                     'PASSWORD': password,
                  },
                ClientMetadata={
                  'username': username,
                  'password': password,
              })
....

Answer 1

I can write short Python program using Boto3 that search UserPool and other values but I cannot execute it inside yaml

You can consider developing a custom resource in CloudFormation. The resouce would a lambda function which could execute your python script, and return any needed values to other resources in your template.

However, if you also create your lambda functions in the same template, you can pass the IDs using function's Environment property:

Environment variables that are accessible from function code during execution.