PushSecret to AWS Secrets Manager: stored as Base64, results in AWS GUI error

[tabnul]

Describe the solution you'd like
When we push a secret to AWS Secrets Manager, we are unable to view it in the AWS Gui. It results in an error such as;
"The secret value can't be converted to key name and value pairs."
Plaintext tab is empty.

Input YAML:

apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: pushsecret-example # Customisable
  namespace: teamb # Same of the SecretStores
spec:
  deletionPolicy: Delete
  refreshInterval: 10s # Refresh interval for which push secret will reconcile
  secretStoreRefs: # A list of secret stores to push secrets to
    - name: teamb-secret-store
      kind: SecretStore
  selector:
    secret:
      name: my-secret # Source Kubernetes secret to be pushed
  data:
    - match:
        secretKey: key1 # Source Kubernetes secret key to be pushed
        remoteRef:
          remoteKey: teamb-my-first-parameter-3 # Remote reference (where the secret is going to be pushed)

Give us examples of the outcome
Outcome:

In the network trace i do see that it is retrieving the secret in the AJAX call. It seems to be stored as base64 which the AWS Gui is unable to parse correctly.

Example from network trace which does not show (created through pushsecret);

{
	"ARN": "XXXX",
	"CreatedDate": 1671028960.515,
	"Name": "teamb-my-first-parameter-2",
	"SecretBinary": "eyJzdXBlcmtleSI6ICJzdXBlcnNlY3JldCJ9",
	"VersionId": "589B08B0-671D-4CA6-8419-CD14398AB466",
	"VersionStages": [
		"AWSCURRENT"
	]
}

Example from network trace which does work (manually created);

{
	"ARN": "XXXX",
	"CreatedDate": 1671017643.281,
	"Name": "teamb-kv",
	"SecretString": "{\"key1\":\"value123\",\"key2\":\"value456\"}",
	"VersionId": "60c6e342-7aa0-4a2e-8ed8-2eaefafa7504",
	"VersionStages": [
		"AWSCURRENT"
	]
}

Observations (Constraints, Context, etc):

EKS 1.22

[moolen]

unable to view it in the AWS Gui

This is purely an issue with AWS GUI which is only able to show json-encoded key-value pairs (no nested structures). It is base64 encoded on the wire by the sdk. When you retrieve the value it is the actual non-encoded value.

See details in the doc comments here.

	// The binary data to encrypt and store in the new version of the secret. To
	// use this parameter in the command-line tools, we recommend that you store
	// your binary data in a file and then pass the contents of the file as a parameter.
	//
	// You must include SecretBinary or SecretString, but not both.
	//
	// You can't access this value from the Secrets Manager console.
	//
	// SecretBinary is a sensitive parameter and its value will be
	// replaced with "sensitive" in string returned by PutSecretValueInput's
	// String and GoString methods.
	//
	// SecretBinary is automatically base64 encoded/decoded by the SDK.

Because we don't know if the value provided is binary or not we use SecretBinary when pushing the secrets to AWS SM. From my POV it would be fine to add a field that allows the user to configure if eso uses SecretBinary or SecretString just to help with the GUI. Are you aware of any other limitations?

[tabnul]

unable to view it in the AWS Gui

This is purely an issue with AWS GUI which is only able to show json-encoded key-value pairs (no nested structures). It is base64 encoded on the wire by the sdk. When you retrieve the value it is the actual non-encoded value.

See details in the doc comments here.

	// The binary data to encrypt and store in the new version of the secret. To
	// use this parameter in the command-line tools, we recommend that you store
	// your binary data in a file and then pass the contents of the file as a parameter.
	//
	// You must include SecretBinary or SecretString, but not both.
	//
	// You can't access this value from the Secrets Manager console.
	//
	// SecretBinary is a sensitive parameter and its value will be
	// replaced with "sensitive" in string returned by PutSecretValueInput's
	// String and GoString methods.
	//
	// SecretBinary is automatically base64 encoded/decoded by the SDK.

Because we don't know if the value provided is binary or not we use SecretBinary when pushing the secrets to AWS SM. From my POV it would be fine to add a field that allows the user to configure if eso uses SecretBinary or SecretString just to help with the GUI. Are you aware of any other limitations?

I havent seen any other limitations. The output using the CLI is exactly the same (binary data)

I think it would make sense to add the option to define the data-type.
This improves compatibility with the provider and the user-experience
(apart from the GUI: if someone wants to re-use the secret in another AWS Service , they can use it as any AWS Secret, instead of a 'special' Secret created via another method)

[gusfcarvalho]

(apart from the GUI: if someone wants to re-use the secret in another AWS Service , they can use it as any AWS Secret, instead of a 'special' Secret created via another method)

I also struggle a bit with that. With this feature the secret in kubernetes will always get resynced into AWS SM, meaning it wouldn't be easy for people anyways to just use it in another AWS service (as it would be refreshed).

Regarding to the secretBinary vs secretString, the kubernetes Secret only works with binaries as input. I personally find it weird wanting to see the end secret in the console, as it would allow people to just tamper with the value, and get upset when the value was overwritten, as again, ESO handles that.

But then again, this could be implemented fairly simply with the secretStore parameters to come. I'm just not sure why we should do it :)

[PG2000]

@gusfcarvalho from my point of view it feels weird to not see the secret value in aws console. The tampering also could happen with the cli too or do im miss something? I personally would prefer to use SecretString instead of SecretBinary.

So i'm wondering if it's worth to bring this into eso and what the preferred way would be?
Should this be a configuration option per secret or per provider?

[dvbthijsvnuland]

@gusfcarvalho from my point of view it feels weird to not see the secret value in aws console. The tampering also could happen with the cli too or do im miss something? I personally would prefer to use SecretString instead of SecretBinary.

So i'm wondering if it's worth to bring this into eso and what the preferred way would be? Should this be a configuration option per secret or per provider?

I agree with this. I understand the technical reasons, but in my opinion the integration is broken (from the perspective of the AWS Secrets Manager service)

[gusfcarvalho]

We need the feature to be fully compatible with the source of the information - in this case, Kubernetes Secrets.

In Kubernetes Secrets, we can store non-string information as binary data (it's the whole point of having it automatically base64-encoded, even if it is done by accident lol).

How would we support binary data push if we choose to only go for SecretString, which really, is us providing a workaround for an AWS bug? 😄

I can only see this working in two ways:

1. Store as SecretString but Base64 encoded instead of the original values (users would be able to see rubbish in the console)
2. add code logic to look up if the k8s Secret can be converted to string, and if it cannot, upload it as a SecretBinary.

Anyone of these solutions won't be user friendly still (as I believe you really don't want to log in the console to see Rubbish information, but rather the information that you've written).

In any case, I don't think we should do it because this is an AWS console bug. We are trying to fix their UI within our code, which means we would couple ourselves with whatever update they do it there (a very bad thing to do software-wise).

[moolen]

I'd be open to add a field to the SecretStore spec to allow users to define the desired behaviour. But for the reasons outlined 👆 by @gusfcarvalho it's hard to choose a sane default:

• either it doesn't work for binary secrets
• or users can't see values in the AWS console

[PG2000]

@gusfcarvalho good points.

What would your idea mean for these cases

A dockerconfigjson secret

apiVersion: v1
data:
  .dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL2luZGV4LmRvY2tlci5pby92MS8iOnsidXNlcm5hbWUiOiJ1c2VyIiwicGFzc3dvcmQiOiJwYXNzd29yZCIsImVtYWlsIjoiZW1haWwiLCJhdXRoIjoiZFhObGNqcHdZWE56ZDI5eVpBPT0ifX19
kind: Secret
metadata:
  creationTimestamp: null
  name: cicd-docker
type: kubernetes.io/dockerconfigjson

A generic secret from literals

apiVersion: v1
data:
  my-user: c29tZS11c2VybmFtZQ==
kind: Secret
metadata:
  creationTimestamp: "2023-03-08T21:46:08Z"
  name: some-gneric
  namespace: monitoring
  resourceVersion: "22057863"
  uid: 3650193f-9919-48ea-9669-1c1022360c86
type: Opaque

A generic secret from a file:

apiVersion: v1
data:
  my-file.txt: aGVsbG8gd29ybGQK
kind: Secret
metadata:
  creationTimestamp: "2023-03-08T21:47:38Z"
  name: some-generic-from-file
  namespace: monitoring
  resourceVersion: "22058229"
  uid: 51ef5433-3359-4e3c-a6e6-2557f654c1cb
type: Opaque

And a tls secret:

apiVersion: v1
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNsakNDQVg0Q0NRREpkWmh5dU5sdEJUQU5CZ2txaGtpRzl3MEJBUXNGQURBTk1Rc3dDUVlEVlFRR0V3SkUKUlRBZUZ3MHlNekF6TURneU1UVXdOREZhRncweU5EQXpNRGN5TVRVd05ERmFNQTB4Q3pBSkJnTlZCQVlUQWtSRgpNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXgvalQ4VnJzV1BpTy9SbjJoT3lqCi9Ob292bVEwN29EMFlMVHJpUnlSYmxFbnQyNUhHTWtza0ZITXBQWDBJdmNtL2R5b2Qva25IeWpTbjVqVklsMW8KMjYyelJ1OVFlVmdlaVN3aUJSbmRTcUcxWWZaVGtWM01tODBlZFFIcTVmWVI4UStLdU8zUGJPbUNQUzVVU3NXWQpBRVNTeExPOGRiYllBNjVNUW5QS0dMUTRnU2hOVUN0REJtTCtTOEtncnk1TDZ5M0tPMDNKNmFYSTEzUDdxNmNGClVzZEg5RHdwSmVmMXRrVFlLN2ZkOEhxY0FvdU5IZUhWNDhIMHYyT0lQOXl2aUdQdDZLVjFnV3ZtUEJRQzVoc04Kbi8zOHdnL1JDK1ZkYklQVjdRN0xhNEgyVWl0RldySjA0R1gzT09uT2R1N1VqOWFYWDU0TiszcVYwMHQzeDFlZQp4UUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQVRha05FNk1majBMaDRXK0ZwNHZ0djE5QVpqWEtnCkhmQjV4RlBLalFDSXVWbnkvNktaWnA1M3ZRakRDeWhrbmdpbWR5MkNKV3FjQkRsOVRtZTRzQlZ4cENMeHBKY2UKczJHbjRUbTRocE0xWHFGZjdwTFBJL0hwYWhTVDBXS25Jb2Q3NnhZRGpNd0I2Y3lWN2h6aCt5TzYydkZGZVFaRwpOMjJNd1ZOUFV3Uk1CV2psSU1mS2hPdjdQODF1MjFuUHo3Y2hpTUhrNEMxZW5CdjdZRnR1cm81dnhOeG9mQ1o0CnYyWVVEam9JWDNXL1BBaFhkY3hSV3JSTnJxSk9YWXR1YjFQWFJJQWhjZkQ1L21EVzFiaHJDNHpuaWN0enp4S0gKUEhuanZ6NGVXTU1kcWFoUGQ0Rmo0a1FRK1ptazFIYWxLa2wzbGh6UFBJdUsweTR3QTF0NExYUEsKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2d0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktrd2dnU2xBZ0VBQW9JQkFRREgrTlB4V3V4WStJNzkKR2ZhRTdLUDgyaWkrWkRUdWdQUmd0T3VKSEpGdVVTZTNia2NZeVN5UVVjeWs5ZlFpOXliOTNLaDMrU2NmS05LZgptTlVpWFdqYnJiTkc3MUI1V0I2SkxDSUZHZDFLb2JWaDlsT1JYY3lielI1MUFlcmw5aEh4RDRxNDdjOXM2WUk5CkxsUkt4WmdBUkpMRXM3eDF0dGdEcmt4Q2M4b1l0RGlCS0UxUUswTUdZdjVMd3FDdkxrdnJMY283VGNucHBjalgKYy91cnB3VlN4MGYwUENrbDUvVzJSTmdydDkzd2Vwd0NpNDBkNGRYandmUy9ZNGcvM0srSVkrM29wWFdCYStZOApGQUxtR3cyZi9mekNEOUVMNVYxc2c5WHREc3RyZ2ZaU0swVmFzblRnWmZjNDZjNTI3dFNQMXBkZm5nMzdlcFhUClMzZkhWNTdGQWdNQkFBRUNnZ0VCQUsrbHE1eDdUZENVZXh4c0dySUZIY0d5YWtsWndYaWhRb1pUUS9RS2FOK3EKWHlWcXN2NWRia3hSM1Z3a1FjNFlvMkltMkwrUTFNRTAzVlNjTE5IamxJQXBJYWl6K2s2cmpSN1Y2Z2ZyQVFwVgo0ZmxySVZvMU5zeS9MZnArdGJKS0l0WkgzWVMwTmhjblFHTzI5d2s2YUZvTDRaTHZnU0V3ZXFzNUJQajF0ZFZkCm9naHFGZWY0MWhqcXphMEVmL2c4NTlJS0V4cDNGb0ZWMEJ5dFFRb0hzZStmVm9kYUhwV0F3ZmxiYjQrOXV0SW4KTUZ0cW5JWnRFUWRnclBrTy9UNVZPYkJ6WkJ3VXcyQkNsSCtYbkNlRFp5Uy8zcHRFbTBEL0FKNGhicnNyVkd5Sgozc1FJK2ZCd0tPMmpZSitkWVRwOXVDOHFhMlhISWwzc1EwTXRjZ0J1V24wQ2dZRUE2SGxNSmxEZmFnNUdFUHh5Ck1uS1NsZmttaFhIYmdOUmpBUGc5VFJmMWZzUUVTbmVxblg4RGFyZU82VmpaeVhoWmNnb1VsSEJmekl6OXBQbFQKTXh2a0tHeXpHT1NsdDU3ZGQ0ZTdLZnJocDBCOVRseXF5aDVSRjNsYzhMMHdmUjJJZldvZHVBR0JOV3Y2TElQNgplODZTQ3o1MUdHK1RGMG1WekhzYWhMTmNyL2NDZ1lFQTNEV0JSTjVVcW5teHhCSjlZZWJLemtXRkEvMVVsNDQyCmczYTNwV0VEMUVDYUUyVUZ2Kzhyc3hwdjB2R1p0aU1MOUFkSFA5UFcrSE4rQmQwQW1nZWl6ZkdhUThoMkRsamMKRExCSUthdHFBUmoyUXlBMndJN2pzQXBVaXBpTzhzZElUMWtwcmpLWVc1ZS9jaWpnVytMVmNZRktyZktVYkovRApxdk5qbDhQczhDTUNnWUFnMXhIRXorUGZyWWlFV2NVZ0QwTlo0RXBxeTN6QXBFQWdJUEUzOU14L1RkMTFUNVpRCmpXTEVMbzRIdEw5L1VIc0NPeDVSSWRiR3BKd29NL2htM2VmTE5oL093bTRPbEdpZ3ZCSGFpbEJhT2lmNWErbk0KaDUvWSt4SUFDQm5UY3RxWExPaHAxL3lTdVdBcjdiRHkwR21kSVFPVm9oMWJTcy9ZaFFObi81WjJYUUtCZ1FDMApmVlphOERCTkdqbk9ENm1kR09HWmQvbXliMjFxV3pIclJ0NzNPakU5UTBZR0o0TXk4Z0hMWnh2SXRpWGExNWJ3CmlSYXBCaVRvdHlEUUJYaDh4MDExcDFWZHdXeWlEY3N1eXo0YWlWajFWVlJqYUgvNERDWXJJQXh6SE4vdHRkRmEKMkNZRmxZcXphQW1PdEZwUWRmZWtkT2lVOG9NZEZVWDNWRTZKRWhtZUtRS0JnUURuUnFoZXNXeE41eGM1UGUwZAo1Rkl4WVBjMEVFMkkwUXFaWWJkcHZnYm1vOHdSbElwNG04RDk1R2orRmcwMGJKY29VT1lUU0UyeTdPakRBbXZUClVUV29ON1czUDUrSmhKejJSZ21ydlR4K0hYUlJKbFpRU0VFWXRLSEJseGIvWjU2bnljK3UvdzhBakQ2QnVWZ1UKM2ZOWnZIcHBTTTJZcmVMQjBPMm9hZGlFZHc9PQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==
kind: Secret
metadata:
  creationTimestamp: null
  name: some-tls
type: kubernetes.io/tls

and a generic secret with a binary file:

apiVersion: v1
data:
  binary.dat: AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5fYGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn+AgYKDhIWGh4iJiouMjY6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v8PHy8/T19vf4+fr7/P3+/w==
kind: Secret
metadata:
  creationTimestamp: null
  name: some-generic-from-file

[github-actions]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.