How can i use SecretValue in ECS?

[a4rcvv]

Hello. This is my first time using CDK, so sorry if this is a weird question.

Situation

For example, I have two constructs like this:

export class Auth extends Construct{
  readonly userPoolId: string
  readonly userPoolClientId: string
  readonly userPoolClientSecret: SecretValue
  constructor(scope: Construct, id: string)){
    super(scope, id);
  
    const userPool = new UserPool(this, "UserPool", {})
    const userPoolClient = new UserPoolClient(this, "UserPoolClient", {
        userPool: userPool,
        userPoolClientName: "web",
        generateSecret: true
    })
  
    this.userPoolId = userPool.userPoolId
    this.userPoolClientId = userPoolClient.userPoolClientId
    this.userPoolClientSecret = userPoolClient.userPoolClientSecret
  }
}

export type EcsServiceProps = {
  environment: {[key: string]: string}
  secrets: {[key: string]: Secret}
}

export class ECSService extends Construct{
  constructor(scope: Construct, id: string)){
    super(scope, id);
    const taskDefinition = new FargateTaskDefinition(this, "TaskDefinition", {});
    const container = taskDefinition.addContainer("Container", {
      image: ecs.ContainerImage.fromRegistry("amazon/amazon-ecs-sample"),
      environment: props.environment,
      secrets: props.secrets
    })
    // service definition will be here...
  }
}

Question

I want to use auth.userPoolClientSecret in ECS, but I don't know how to do it.

export class AppStack extends Stack{
  constructor(scope: Construct, id: string{
    super(scope, id, props);
    const auth = new Auth(this, "Auth")
    const ecsService = new ECSService(this, "service", {
      environment: {
        "COGNITO_SECRET": auth.userPoolClientSecret.toString()  // This is dangerous
      },
      secrets: {
        // can I store `auth.userPoolClientSecret` in SecretManager or SSM ParameterStore and 
        // use it at here?
      }
    })
  }
}

Calling toString() like above will cause an error like below, and I know this is a dangerous usage.

Resolution error: Synthing a secret value to Resources/... Using a SecretValue here risks exposing your secret. Only pass SecretValues to constructs that accept a SecretValue property, or call AWS Secrets Manager directly in your runtime code. Call 'secretValue.unsafeUnwrap()' if you understand and accept the risks.

For now I came up with the idea like this, but it is a bit confusing.

1. Deploy Cognito as a separate stack
2. Store the secret in the SSM ParameterStore manually
3. Use it as secrets of ECSService

So what is the recommended way to use SecretValue in ECS?