AWS/ParameterStore Provider: Ability to add a path prefix to a SecretStore

[alanraison]

Describe the solution you'd like
Add a parameter which would automatically add a prefix to the paths of requested secrets in Parameter Store.

What is the added value?
This would allow easier portability of manifests, which look for secrets in paths, between environments using the same AWS account. For example, one SecretStore could be configured to provide secrets from parameters with the prefix /dev/my-app and another could be configured to provide them from /test/my-app and then ExternalSecrets could be configured to look for db-password and just change the SecretStore in which the value is being looked up.

Give us examples of the outcome

For the above example, assuming ParameterStore SecureString values in /dev/my-app/db-password and /test/my-app/db-password;

Dev SecretStore:

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: dev-secrets
spec:
  provider:
    aws:
      service: ParameterStore
      region: eu-west-2
      role: arn:aws:iam::####
      prefix: /dev/my-app/

Test SecretStore:

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: test-secrets
spec:
  provider:
    aws:
      service: ParameterStore
      region: eu-west-2
      role: arn:aws:iam::####
      prefix: /test/my-app/

ExternalSecret:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: secrets
spec:
  secretStoreRef:
    name: dev-secrets # or test-secrets
    kind: SecretStore
  data:
    - secretKey: dbPassword
      remoteRef:
        key: dbPassword # automatically prefixes with /dev/my-app/

Observations (Constraints, Context, etc):

I don't have experience of Secrets Manager, so not sure whether this would be useful for that provider.

[alanraison]

I realise that ExternalSecrets are already an abstraction over where secrets are stored, but it seems that the SecretStore is an obvious location to add this extra functionality, especially since this is where the role is applied, and the role could allow access to a specific parameter prefix.

[github-actions]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[github-actions]

This issue was closed because it has been stalled for 30 days with no activity.

[joaocc]

@alanraison did you manage t get any workaround for this need? I was thinking on whether it would be better to open a new case.
I believe we have a similar need, where we have multiple subsets of a SSM-PS in a single account/region used by multiple tenants.
Being able to specify that a specific SecretStore or ClusterSecretStore is always relative to a certain prefix would make our life much easier, as all references of the store could become oblivious of which is the specific path they are relative to.
This is a particularity of the fact that SSM-PS is a large flat namespace (when compared for instance with Azure KeyVault where we can have a vault per tenant).
Thanks

[Skarlso]

This shouldn't be too hard to add. I'll take a look.

[Skarlso]

This prefix will be added to everything where a name is used. Or if there is a path used in externalSecrets. This prefix will be appended to it as is. And because the prefix doesn't necessarily contain a /, it might end in -, which means if someone forgets to add an ending trailing something, it will be merged weirdly. :)

[Skarlso]

Also, I'm obviously not going to add the prefix if regex is used.

[joaocc]

the workaround we implemented for this was to fetch all parameters under a specific path to a secret in kubernetes, and use the kubernetes provider to fetch data from there. It has some drawbacks, but serves the purpose of allowing "leaf" ExternalSecrets to be oblivious of the prefix.
If the prefix is implemented at the store level, then all checks and regexp at the level of external-secrets should probably only refer the non-prefix part, as doing otherwise would mean breaking the "abstraction" provided by store-prefix.
Thx

[aprohorov-callsign]

also think this feature is useful. We have secrets paths like:

/clusterA/appSecret
/clusterB/appSecret

And IAM roles allow to read secrets correspobdently. And we cannot use

  dataFrom:
    - find:
        name:
          regexp: "appSecret"

because if failed with:
arn:aws:sts::111222333:assumed-role/clusterA-role is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-west-1:111222333:parameter/clusterB/appSecret

And from the cluster we don't know the actual cluster name nor able to use variables in the providerKey path like:

  data:
    - secretKey: secret
      remoteRef:
        key: "/{{ .secretStore.metadata.labels.clusterName }}/appSecret"
        property: secret

[Skarlso]

sorry, I've been super busy to finish this. :D hopefully I'll be able to take care of this soon-ish.