diff --git a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts
index 86d94c78726f7..c78bbe6d00484 100644
--- a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts
+++ b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/apple.ts
@@ -2,6 +2,7 @@ import { Construct } from 'constructs';
 import { UserPoolIdentityProviderProps } from './base';
 import { CfnUserPoolIdentityProvider } from '../cognito.generated';
 import { UserPoolIdentityProviderBase } from './private/user-pool-idp-base';
+import { SecretValue } from '../../../core';
 
 /**
  * Properties to initialize UserPoolAppleIdentityProvider
@@ -22,8 +23,16 @@ export interface UserPoolIdentityProviderAppleProps extends UserPoolIdentityProv
   readonly keyId: string;
   /**
    * The privateKey content for Apple APIs to authenticate the client.
+   *
+   * @deprecated use privateKeyValue
+   * @default none
    */
-  readonly privateKey: string;
+  readonly privateKey?: string;
+  /**
+   * The privateKey content for Apple APIs to authenticate the client.
+   * @default none
+   */
+  readonly privateKeyValue?: SecretValue;
   /**
    * The list of apple permissions to obtain for getting access to the apple profile
    * @see https://developer.apple.com/documentation/sign_in_with_apple/clientconfigi/3230955-scope
@@ -44,6 +53,12 @@ export class UserPoolIdentityProviderApple extends UserPoolIdentityProviderBase
 
     const scopes = props.scopes ?? ['name'];
 
+    // Exactly one of the properties must be configured
+    if ((!props.privateKey && !props.privateKeyValue) ||
+      (props.privateKey && props.privateKeyValue)) {
+      throw new Error('Exactly one of "privateKey" or "privateKeyValue" must be configured.');
+    }
+
     const resource = new CfnUserPoolIdentityProvider(this, 'Resource', {
       userPoolId: props.userPool.userPoolId,
       providerName: 'SignInWithApple', // must be 'SignInWithApple' when the type is 'SignInWithApple'
@@ -52,7 +67,7 @@ export class UserPoolIdentityProviderApple extends UserPoolIdentityProviderBase
         client_id: props.clientId,
         team_id: props.teamId,
         key_id: props.keyId,
-        private_key: props.privateKey,
+        private_key: props.privateKeyValue ? props.privateKeyValue.unsafeUnwrap() : props.privateKey,
         authorize_scopes: scopes.join(' '),
       },
       attributeMapping: super.configureAttributeMapping(),
diff --git a/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/apple.ts b/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/apple.test.ts
similarity index 68%
rename from packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/apple.ts
rename to packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/apple.test.ts
index c38e5b16ee73b..a299953d1cc8f 100644
--- a/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/apple.ts
+++ b/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/apple.test.ts
@@ -1,5 +1,5 @@
 import { Template } from '../../../assertions';
-import { Stack } from '../../../core';
+import { Stack, SecretValue } from '../../../core';
 import { ProviderAttribute, UserPool, UserPoolIdentityProviderApple } from '../../lib';
 
 describe('UserPoolIdentityProvider', () => {
@@ -102,12 +102,51 @@ describe('UserPoolIdentityProvider', () => {
       // THEN
       Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolIdentityProvider', {
         AttributeMapping: {
-          family_name: 'firstName',
-          given_name: 'lastName',
+          family_name: 'lastName',
+          given_name: 'firstName',
           customAttr1: 'email',
           customAttr2: 'sub',
         },
       });
     });
+
+    // cannot assign both privateKey and privateKeyValue
+    test('cannot assign both privateKey and privateKeyValue', () => {
+      // GIVEN
+      const stack = new Stack();
+      const pool = new UserPool(stack, 'userpool');
+
+      expect(() => {
+        new UserPoolIdentityProviderApple(stack, 'userpoolidp', {
+          userPool: pool,
+          clientId: 'com.amzn.cdk',
+          teamId: 'CDKTEAMCDK',
+          keyId: 'XXXXXXXXXX',
+          privateKey: 'PRIV_KEY_CDK',
+          privateKeyValue: SecretValue.secretsManager('dummyId'),
+        });
+      }).toThrow('Exactly one of "privateKey" or "privateKeyValue" must be configured.');
+    });
+
+    // should support privateKeyValue
+    test('should support privateKeyValue', () => {
+      // GIVEN
+      const stack = new Stack();
+      const pool = new UserPool(stack, 'userpool');
+
+      new UserPoolIdentityProviderApple(stack, 'userpoolidp', {
+        userPool: pool,
+        clientId: 'com.amzn.cdk',
+        teamId: 'CDKTEAMCDK',
+        keyId: 'XXXXXXXXXX',
+        privateKeyValue: SecretValue.secretsManager('dummyId'),
+      });
+
+      Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolIdentityProvider', {
+        ProviderDetails: {
+          private_key: '{{resolve:secretsmanager:dummyId:SecretString:::}}',
+        },
+      });
+    });
   });
 });