Comments (11)
I think this would be a very useful feature that we could extract individual key/value from SSM parameter or SecretManager and sync the k8s secret dynamically.
example from vault: https://www.vaultproject.io/docs/platform/k8s/csi/examples#environment-variable-dynamic-database-credentials.
Without this feature, I can't figure out how to workaround if we want to put all key/value pairs under one single SSM parameter or SecretManager secret then ingest into environment variable separately via secretKeyRef
or envFrom
.
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: vault-db-creds
spec:
provider: vault
secretObjects:
- secretName: vault-db-creds-secret
type: Opaque
data:
- objectName: dbUsername # References dbUsername below
key: username # Key within k8s secret for this value
- objectName: dbPassword
key: password
parameters:
roleName: "app"
vaultAddress: "https://vault.vault:8200"
vaultCACertPath: "/vault/tls/ca.crt"
objects: |
- objectName: "dbUsername"
secretPath: "database/creds/db-app"
secretKey: "username"
- objectName: "dbPassword"
secretPath: "database/creds/db-app"
secretKey: "password"
from secrets-store-csi-driver-provider-aws.
Pretty much this is what I was expecting to be supported off the shelf with this plugin. Most of our AWS Secrets are stored within a JSON structure so I was hoping we could feed environment variables automatically after breaking them down. Unfortunately, we'd need to split up the JSON object into smaller pieces with a single key if we ever wanted to use this feature.
from secrets-store-csi-driver-provider-aws.
Feature has been launched - #33
from secrets-store-csi-driver-provider-aws.
Thank you for your feedback. Please note that the AWS provider is a plugin to the Secrets Store CSI driver and as such provides secrets to the driver. The driver itself is responsible for getting these secrets into K8s secrets and variables. Any feature like this would have to extract a single value and store that as the mounted secret and pass only that extracted value to the driver.
We have noted this as a feature request.
from secrets-store-csi-driver-provider-aws.
valueFrom.secretKeyRef.name
and valueFrom.secretKeyRef.value
. would be super userful to have compatibility with existing ways to reference K8S Secrets
from secrets-store-csi-driver-provider-aws.
@pierluigilenoci by any chance, did you take the time to check the link I put when open this? the responsible to provide the string back to the CSI Driver is the provider not the driver itself, the driver already support it, as noted in the VAULT Provider
https://github.com/hashicorp/vault-csi-provider/blob/master/internal/provider/provider.go#L151
So, it seems is the PROVIDER responsability to be able to support complex keys and pass it as simple keys back to the driver. which is what is being requested, we are not requesting the driver to support complex keys, we are asking the 'provder' to handle complex keys and send them back to the drivers as 'simple keys', same way as the 'vault provider' does.
from secrets-store-csi-driver-provider-aws.
from secrets-store-csi-driver-provider-aws.
Guys, I want to point out that this is just the AWS provider for the Kubernetes Secrets Store CSI Driver. The feature request to support complex keys must be made in the driver repo, not here.
from secrets-store-csi-driver-provider-aws.
@marcelobartsch however this provider is quite young (2 months) and still lacks many features (the helm chart just to give an example). The most constructive thing to do is give the developers time to implement them or do a PR yourself to supplement what is missing.
from secrets-store-csi-driver-provider-aws.
@pierluigilenoci if my Golang was good I would, but my Golang is as good as my Sanskrit :D so I put the FR here , not to be fixed right now, but to be keep in mind, and if at some point I manage to get a bit fluent in Golang I will make a PR, but don't keep your hopes high :D :D :D :D
from secrets-store-csi-driver-provider-aws.
Considering this is done directly in the vault provider already it would be really nice to have this done in the aws provider as well without waiting for it to be standardized across all providers. I consider this issue a blocker in using the driver in general because it requires making many more parameters than we normally would. For example we'd like to keep a docker registry username and password in the same SSM parameter but broken out into separate variables/files for the application to consume.
from secrets-store-csi-driver-provider-aws.
Related Issues (20)
- Add the ability to call the FIPS endpoints HOT 1
- Support secrets-store-csi-driver v1.2.0+ HOT 1
- Timeout expired waiting for volumes to attach or mount for pod HOT 5
- Required value: must specify a volume type
- Is "Security considerations" on the main page correct? HOT 1
- Failure getting secret values from provider type secretsmanager: Failed to fetch secret from all regions HOT 25
- How to specify priorityClassName for the pods ? HOT 2
- Improve logging or errors HOT 2
- Missing image pull Secrets to pull from private repo HOT 3
- Store the secrets in mounted file as YAML instead of JSON format HOT 3
- ASCP assumes IAM role from its own SA HOT 1
- Image secrets-store-csi-driver-provider-aws is unsupported in AWS ECR scan HOT 1
- Querying for JSON formatted secrets using jmesPath does not work HOT 1
- How can I set mounted secret permissions? HOT 2
- Doesn't allow keys with hyphen "-" HOT 2
- Regarding Plaintext secret HOT 1
- dummy test Issue
- Any tips in minimizing API calls for EKS to External Secrets Store? HOT 1
- Cannot specify secretObjects of SecretProviderClass that reference ASM values of integer type HOT 4
- Cannot specify jmesPath with hyphens HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from secrets-store-csi-driver-provider-aws.