External Secrets Operator: Using versioned secrets from the AWS Secrets Manager

Kubernetes ExternalSecret Secrets Manager AWS versions

2 min read | by Jordi Prats

When using the AWS Secrets Manager, every time a secret is updated, it creates a new version with a unique uuid. It will also update the VersionStages AWSCURRENT and AWSPREVIOUS to point to the current and the previous version. We can use them with the External Secrets Operator to retrieve the current and the previous version of a secret

To do so, we can use the version field within the remoteRef in order to specify whether we want the AWSCURRENT or the AWSPREVIOUS:

apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata:  name: es-demo-with-latest-ver spec:  secretStoreRef:  kind: SecretStore  name: demo-ss  target:  name: versioned-secrets  refreshInterval: 1h  data:  - remoteRef:  key: /example/key  property: demo  version: AWSCURRENT  secretKey: demo-current  - remoteRef:  key: /example/key  property: demo  version: AWSPREVIOUS  secretKey: demo-current

We can specify it's uuid as well, just by prefixing it with uuid/.

Depending on the IAM permissions we have set, it might be mandatory to specify the version, regardless of the default value the call would use:

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "secretsmanager:GetSecretValue" ],  "Condition": {  "ForAnyValue:StringEquals": {  "secretsmanager:VersionStage": "AWSCURRENT"  }  },  "Effect": "Allow", "Resource": "arn:aws:secretsmanager:us-west-2:123456789876:secret:/demo-user-*" } ] }

Posted on 11/01/2023

External Secrets Operator: Using versioned secrets from the AWS Secrets Manager

Categories