Comments (12)
riosje
commented on May 24, 2024
2
What happens if you provide
@as path?I don't have it installed, I was just looking at issues for potential show stoppers, so I can't test. According to the docs and my tests on https://jmespath.org/,
@should return the secret as is. Does it?
HI @bgdnlp, I just try your suggested workaround and I'm getting the following error:
MountVolume.SetUp failed for volume "secrets-store01-inline" : rpc error: code = Unknown desc = failed to mount secrets store objects for pod xxxx/ubuntu-cli, err: rpc error: code = Unknown desc = Invalid JMES search result type for path:@. Only string is allowed.
from secrets-store-csi-driver-provider-aws.
cbalan23
commented on May 24, 2024
1
If you're not "forced" to use this solution, have a look at https://external-secrets.io which does exactly that, in a far more elegant way. This seems way too complicated to maintain.
from secrets-store-csi-driver-provider-aws.
cbalan23
commented on May 24, 2024
1
@cbalan23 two problem with external-secrets.io .
1- It needs to story aws asm reader user’s key and secrets in a secret which is not recommended.
2- aws role and assume role support is not available. The way enterprise working account dealing with.
@sharmavijay86 it does support IRSA (IAM Roles for Service Accounts). See the bottom of this page.
from secrets-store-csi-driver-provider-aws.
sharmavijay86
commented on May 24, 2024
Hi Folks! Anyone get any idea on this? We have the same use case and struggling since very long time. Any clue or reference would be appreciated please !
from secrets-store-csi-driver-provider-aws.
sharmavijay86
commented on May 24, 2024
@cbalan23 two problem with external-secrets.io .
1- It needs to story aws asm reader user’s key and secrets in a secret which is not recommended.
2- aws role and assume role support is not available. The way enterprise working account dealing with.
from secrets-store-csi-driver-provider-aws.
bgdnlp
commented on May 24, 2024
What happens if you provide @ as path?
I don't have it installed, I was just looking at issues for potential show stoppers, so I can't test. According to the docs and my tests on https://jmespath.org/, @ should return the secret as is. Does it?
from secrets-store-csi-driver-provider-aws.
jim-hm
commented on May 24, 2024
I am also looking for the solution. Thanks, @bgdnlp. But your solution is probably not working since also need add all the key to spec. secretObjects. data
from secrets-store-csi-driver-provider-aws.
bgdnlp
commented on May 24, 2024
Well, no, that's the point, if you want all the keys, @ should return all the keys. If you want a subset, then yes, you need to specify, of course. Did anyone try, does it complain about something?
from secrets-store-csi-driver-provider-aws.
jim-hm
commented on May 24, 2024
I saw a PR opened from driver side to add this feature, but to use this feature provider side may change as well.
from secrets-store-csi-driver-provider-aws.
scalp42
commented on May 24, 2024
Same here, it's really painful to sync by hand and extract every key from Secrets Manager JSON.
from secrets-store-csi-driver-provider-aws.
simonmarty
commented on May 24, 2024
There seems to be a feature request for this in the Secret Store repo, we're waiting on them to implement it.
from secrets-store-csi-driver-provider-aws.
endersonmaia
commented on May 24, 2024
@cryptk I'm doing something similar to create a secret needed for ArgoCD
Warning FailedToCreateSecret 18s (x14 over 59s) csi-secrets-store-controller failed to get data in spc argocd/github-cartesi-corp-repo-creds for secret repo-creds, err: file matching objectName type not found in the pod
ApiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: github-repo-creds
namespace: argocd
spec:
parameters:
provider: aws
objects: |2
- objectName: "repo-creds"
objectType: "secretsmanager"
jmesPath:
- path: "type"
objectAlias: "type"
- path: "url"
objectAlias: "url"
- path: "githubAppID"
objectAlias: "githubAppID"
- path: "githubAppInstallationID"
objectAlias: "githubAppInstallationID"
- path: "githubAppPrivateKey"
objectAlias: "githubAppPrivateKey"
secretObjects:
- data:
- key: type
objectName: type
- key: url
objectName: url
- key: githubAppID
objectName: githubAppID
- key: githubAppInstallationID
objectName: githubAppInstallationID
- key: githubAppPrivateKey
objectName: githubAppPrivateKey
labels:
argocd.argoproj.io/secret-type: repo-creds
secretName: repo-creds
Inside the container, I can only see the file container the secret in JSON format.
I expected to have a file for each key
cat /var/run/secrets/argocd/repo-creds | jq
{
"type": "git",
"url": "https://github.com/my-org",
"githubAppID": 123,
"githubAppInstallationID": 456,
"githubAppPrivateKey": "-----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----"
}from secrets-store-csi-driver-provider-aws.
Related Issues (20)
- Add the ability to call the FIPS endpoints HOT 1
- Support secrets-store-csi-driver v1.2.0+ HOT 1
- Timeout expired waiting for volumes to attach or mount for pod HOT 5
- Required value: must specify a volume type
- Is "Security considerations" on the main page correct? HOT 1
- Failure getting secret values from provider type secretsmanager: Failed to fetch secret from all regions HOT 25
- How to specify priorityClassName for the pods ? HOT 2
- Improve logging or errors HOT 2
- Missing image pull Secrets to pull from private repo HOT 3
- Store the secrets in mounted file as YAML instead of JSON format HOT 3
- ASCP assumes IAM role from its own SA HOT 1
- Image secrets-store-csi-driver-provider-aws is unsupported in AWS ECR scan HOT 1
- Querying for JSON formatted secrets using jmesPath does not work HOT 1
- How can I set mounted secret permissions? HOT 2
- Doesn't allow keys with hyphen "-" HOT 2
- Regarding Plaintext secret HOT 1
- dummy test Issue
- Any tips in minimizing API calls for EKS to External Secrets Store? HOT 1
- Cannot specify secretObjects of SecretProviderClass that reference ASM values of integer type HOT 4
- Cannot specify jmesPath with hyphens HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from secrets-store-csi-driver-provider-aws.