Feature Request: Option to read a value from inside the secret for key/value secerts about secrets-store-csi-driver-provider-aws HOT 11 CLOSED

I think this would be a very useful feature that we could extract individual key/value from SSM parameter or SecretManager and sync the k8s secret dynamically.

example from vault: https://www.vaultproject.io/docs/platform/k8s/csi/examples#environment-variable-dynamic-database-credentials.

Without this feature, I can't figure out how to workaround if we want to put all key/value pairs under one single SSM parameter or SecretManager secret then ingest into environment variable separately via secretKeyRef or envFrom.

apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: vault-db-creds
spec:
  provider: vault
  secretObjects:
  - secretName: vault-db-creds-secret
    type: Opaque
    data:
    - objectName: dbUsername # References dbUsername below
      key: username          # Key within k8s secret for this value
    - objectName: dbPassword
      key: password
  parameters:
    roleName: "app"
    vaultAddress: "https://vault.vault:8200"
    vaultCACertPath: "/vault/tls/ca.crt"
    objects: |
      - objectName: "dbUsername"
        secretPath: "database/creds/db-app"
        secretKey: "username"
      - objectName: "dbPassword"
        secretPath: "database/creds/db-app"
        secretKey: "password"

from secrets-store-csi-driver-provider-aws.

Pretty much this is what I was expecting to be supported off the shelf with this plugin. Most of our AWS Secrets are stored within a JSON structure so I was hoping we could feed environment variables automatically after breaking them down. Unfortunately, we'd need to split up the JSON object into smaller pieces with a single key if we ever wanted to use this feature.

from secrets-store-csi-driver-provider-aws.

Feature has been launched - #33

from secrets-store-csi-driver-provider-aws.

Thank you for your feedback. Please note that the AWS provider is a plugin to the Secrets Store CSI driver and as such provides secrets to the driver. The driver itself is responsible for getting these secrets into K8s secrets and variables. Any feature like this would have to extract a single value and store that as the mounted secret and pass only that extracted value to the driver.

We have noted this as a feature request.

from secrets-store-csi-driver-provider-aws.

👍 on this feature request. Running in to the same issue as well. I was hoping to integrate this with an existing Helm chart that expects an Opaque secret with key/value pairs accessed via valueFrom.secretKeyRef.name and valueFrom.secretKeyRef.value. would be super userful to have compatibility with existing ways to reference K8S Secrets

from secrets-store-csi-driver-provider-aws.

@pierluigilenoci by any chance, did you take the time to check the link I put when open this? the responsible to provide the string back to the CSI Driver is the provider not the driver itself, the driver already support it, as noted in the VAULT Provider

https://github.com/hashicorp/vault-csi-provider/blob/master/internal/provider/provider.go#L151

So, it seems is the PROVIDER responsability to be able to support complex keys and pass it as simple keys back to the driver. which is what is being requested, we are not requesting the driver to support complex keys, we are asking the 'provder' to handle complex keys and send them back to the drivers as 'simple keys', same way as the 'vault provider' does.

from secrets-store-csi-driver-provider-aws.

👍 for this feature. Unfortunately we are deploying some third party Docker containers and passing a json dictionary as an environment variable simply don't fit containers needs

from secrets-store-csi-driver-provider-aws.

Guys, I want to point out that this is just the AWS provider for the Kubernetes Secrets Store CSI Driver. The feature request to support complex keys must be made in the driver repo, not here.

from secrets-store-csi-driver-provider-aws.

@marcelobartsch however this provider is quite young (2 months) and still lacks many features (the helm chart just to give an example). The most constructive thing to do is give the developers time to implement them or do a PR yourself to supplement what is missing. 😘

from secrets-store-csi-driver-provider-aws.

@pierluigilenoci if my Golang was good I would, but my Golang is as good as my Sanskrit :D so I put the FR here , not to be fixed right now, but to be keep in mind, and if at some point I manage to get a bit fluent in Golang I will make a PR, but don't keep your hopes high :D :D :D :D

from secrets-store-csi-driver-provider-aws.

Considering this is done directly in the vault provider already it would be really nice to have this done in the aws provider as well without waiting for it to be standardized across all providers. I consider this issue a blocker in using the driver in general because it requires making many more parameters than we normally would. For example we'd like to keep a docker registry username and password in the same SSM parameter but broken out into separate variables/files for the application to consume.

from secrets-store-csi-driver-provider-aws.