Hot to retrieve the generated app client id when creating an ElasticSearch service

[zordark]

Good day,
When I configure an ES domain to use Amazon Cognito authentication for Kibana, ES adds an app client to the user pool. I need to retrieve the app client id, to be able to add role mapping. More specifically, I need to change the authenticated role selection to type token instead of the default option. In CDK, I can do that like this:

new CfnIdentityPoolRoleAttachment(this, 'RoleAttachment', {

        ...

        roleMappings: {

            'app client id here': {
                type: 'Token',
                ambiguousRoleResolution: 'AuthenticatedRole'
            }
        },
        ...
    });

I saw some recommendations in these 2 articles:
#7119
aws-samples

unfortunately, I can't use them, because we creating a few clusters in CDK and we have some other app clients,
and probably I can't rely on the app client index in the user pool

    const userPoolClients = new AwsCustomResource(this, 'clientIdResource', {
      policy: AwsCustomResourcePolicy.fromSdkCalls({ resources: [userPool.attrArn] }),
      onCreate: {
        service: 'CognitoIdentityServiceProvider',
        action: 'listUserPoolClients',
        parameters: {
          UserPoolId: userPool.ref
        },
        physicalResourceId: PhysicalResourceId.of(`ClientId-${applicationPrefix}`)
      }
    });
    userPoolClients.node.addDependency(esDomain);

    const clientId = userPoolClients.getResponseField('UserPoolClients.0.ClientId');
    const providerName = `cognito-idp.${this.region}.amazonaws.com/${userPool.ref}:${clientId}`

Is there another way how I can get it ?