Comments (12)
What happens if you provide
@
as path?I don't have it installed, I was just looking at issues for potential show stoppers, so I can't test. According to the docs and my tests on https://jmespath.org/,
@
should return the secret as is. Does it?
HI @bgdnlp, I just try your suggested workaround and I'm getting the following error:
MountVolume.SetUp failed for volume "secrets-store01-inline" : rpc error: code = Unknown desc = failed to mount secrets store objects for pod xxxx/ubuntu-cli, err: rpc error: code = Unknown desc = Invalid JMES search result type for path:@. Only string is allowed.
from secrets-store-csi-driver-provider-aws.
If you're not "forced" to use this solution, have a look at https://external-secrets.io which does exactly that, in a far more elegant way. This seems way too complicated to maintain.
from secrets-store-csi-driver-provider-aws.
@cbalan23 two problem with external-secrets.io .
1- It needs to story aws asm reader user’s key and secrets in a secret which is not recommended.
2- aws role and assume role support is not available. The way enterprise working account dealing with.
@sharmavijay86 it does support IRSA (IAM Roles for Service Accounts). See the bottom of this page.
from secrets-store-csi-driver-provider-aws.
Hi Folks! Anyone get any idea on this? We have the same use case and struggling since very long time. Any clue or reference would be appreciated please !
from secrets-store-csi-driver-provider-aws.
@cbalan23 two problem with external-secrets.io .
1- It needs to story aws asm reader user’s key and secrets in a secret which is not recommended.
2- aws role and assume role support is not available. The way enterprise working account dealing with.
from secrets-store-csi-driver-provider-aws.
What happens if you provide @
as path?
I don't have it installed, I was just looking at issues for potential show stoppers, so I can't test. According to the docs and my tests on https://jmespath.org/, @
should return the secret as is. Does it?
from secrets-store-csi-driver-provider-aws.
I am also looking for the solution. Thanks, @bgdnlp. But your solution is probably not working since also need add all the key to spec. secretObjects. data
from secrets-store-csi-driver-provider-aws.
Well, no, that's the point, if you want all the keys, @
should return all the keys. If you want a subset, then yes, you need to specify, of course. Did anyone try, does it complain about something?
from secrets-store-csi-driver-provider-aws.
I saw a PR opened from driver side to add this feature, but to use this feature provider side may change as well.
from secrets-store-csi-driver-provider-aws.
Same here, it's really painful to sync by hand and extract every key from Secrets Manager JSON.
from secrets-store-csi-driver-provider-aws.
There seems to be a feature request for this in the Secret Store repo, we're waiting on them to implement it.
from secrets-store-csi-driver-provider-aws.
@cryptk I'm doing something similar to create a secret needed for ArgoCD
Warning FailedToCreateSecret 18s (x14 over 59s) csi-secrets-store-controller failed to get data in spc argocd/github-cartesi-corp-repo-creds for secret repo-creds, err: file matching objectName type not found in the pod
ApiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: github-repo-creds
namespace: argocd
spec:
parameters:
provider: aws
objects: |2
- objectName: "repo-creds"
objectType: "secretsmanager"
jmesPath:
- path: "type"
objectAlias: "type"
- path: "url"
objectAlias: "url"
- path: "githubAppID"
objectAlias: "githubAppID"
- path: "githubAppInstallationID"
objectAlias: "githubAppInstallationID"
- path: "githubAppPrivateKey"
objectAlias: "githubAppPrivateKey"
secretObjects:
- data:
- key: type
objectName: type
- key: url
objectName: url
- key: githubAppID
objectName: githubAppID
- key: githubAppInstallationID
objectName: githubAppInstallationID
- key: githubAppPrivateKey
objectName: githubAppPrivateKey
labels:
argocd.argoproj.io/secret-type: repo-creds
secretName: repo-creds
Inside the container, I can only see the file container the secret in JSON format.
I expected to have a file for each key
cat /var/run/secrets/argocd/repo-creds | jq
{
"type": "git",
"url": "https://github.com/my-org",
"githubAppID": 123,
"githubAppInstallationID": 456,
"githubAppPrivateKey": "-----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----"
}
from secrets-store-csi-driver-provider-aws.
Related Issues (20)
- Add the ability to call the FIPS endpoints HOT 1
- Support secrets-store-csi-driver v1.2.0+ HOT 1
- Timeout expired waiting for volumes to attach or mount for pod HOT 5
- Required value: must specify a volume type
- Is "Security considerations" on the main page correct? HOT 1
- Failure getting secret values from provider type secretsmanager: Failed to fetch secret from all regions HOT 25
- How to specify priorityClassName for the pods ? HOT 2
- Improve logging or errors HOT 2
- Missing image pull Secrets to pull from private repo HOT 3
- Store the secrets in mounted file as YAML instead of JSON format HOT 3
- ASCP assumes IAM role from its own SA HOT 1
- Image secrets-store-csi-driver-provider-aws is unsupported in AWS ECR scan HOT 1
- Querying for JSON formatted secrets using jmesPath does not work HOT 1
- How can I set mounted secret permissions? HOT 2
- Doesn't allow keys with hyphen "-" HOT 2
- Regarding Plaintext secret HOT 1
- dummy test Issue
- Any tips in minimizing API calls for EKS to External Secrets Store? HOT 1
- Cannot specify secretObjects of SecretProviderClass that reference ASM values of integer type HOT 4
- Cannot specify jmesPath with hyphens HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from secrets-store-csi-driver-provider-aws.