this was actually a major frustration of mine with building Docker-based assets in cdk... Injecting tokens into my build seems very important to me and I was surprised that there was no elegant support for it.

The way to solve this is to create a CodeBuild project and use a Provider and CustomResource to trigger it at deployment time.

I've actually built a pretty neat solution that I've used with great success in my own personal projects: https://constructs.dev/packages/token-injectable-docker-builder

You can check it out here: https://medium.com/p/3914fc08ca1e. It's called the TokenInjectableDockerBuilder, and it's open source. If you want to dig through the code itself, you can check it out here: https://github.com/AlexTech314/TokenInjectableDockerBuilder/blob/main/src/index.ts.