PushSecret to AWS Secrets Manager: Define KMS key to use to encrypt secret

[tabnul]

Describe the solution you'd like

At the moment it does not seem possible to define a customer managed KMS key which should be used to encrypt a secret at rest. Is it possible to add this?

[gusfcarvalho]

I reckon this is something that would need to go to the SecretStore spec. @moolen thoughts?

[moolen]

From the initial design we envisioned it roughly like this:

apiVersion: external-secrets.io/v1alpha1
kind: SecretStore
metadata:
  name: example
  namespace: example-ns
spec:
  provider:
    aws:
      service: SecretsManager
      role: iam-role
      region: eu-central-1
      encryptionConfig: {} # Specific config for Creating Secrets on AWS
      auth: {} # ...

I guess it makes sense to add that there so a user is able to point to a customer managed key.

Then we just need to pass it to the CreateSecret() call (docs).

    // The ARN, key ID, or alias of the KMS key that Secrets Manager uses to encrypt
    // the secret value in the secret. An alias is always prefixed by alias/, for
    // example alias/aws/secretsmanager. For more information, see About aliases
    // (https://docs.aws.amazon.com/kms/latest/developerguide/alias-about.html).
    //
    // To use a KMS key in a different account, use the key ARN or the alias ARN.
    //
    // If you don't specify this value, then Secrets Manager uses the key aws/secretsmanager.
    // If that key doesn't yet exist, then Secrets Manager creates it for you automatically
    // the first time it encrypts the secret value.
    //
    // If the secret is in a different Amazon Web Services account from the credentials
    // calling the API, then you can't use aws/secretsmanager to encrypt the secret,
    // and you must create and use a customer managed KMS key.
    KmsKeyId *string `type:"string"`

[github-actions]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[nujragan93]

I am trying to solve this issue, quick question: looks like the pushsecret method does not have info on secretStore, it just has info from pushsecretData, how do you think this should be architected ? should the secretstore config come through SecretsClient interface ? @moolen

[gusfcarvalho]

This already has a proposed mechanism via PushSecret Metadata block.

It is basically adding the information to the AWS SM Metadata Spec and use it within the createSecret method.

[Mpluya]

Hello, I've been trying to get my CMK (customer managed key) set on the AWS secrets manager secret created by PushSecret, and it keeps defaulting to "alias/aws/secretsmanager". I verified that the yaml I’m setting follows the spec outlined here - https://github.com/external-secrets/external-secrets/blob/main/docs/snippets/aws-sm-push-secret-with-metadata.yaml.

I’ve also tried setting kmsKeyId per the expected json here -

external-secrets/pkg/provider/aws/secretsmanager/secretsmanager.go

Line 53 in 8cad02f

KMSKeyID string `json:"kmsKeyId,omitempty"`

. This option didn’t pan out either, kms continued to be defaulted.

If there’s any guidance, please let me know.

[Skarlso]

@Mpluya You're right. We actually don't set this value on the CreateSecretInput. 🤦

I'll push up a bug fix as soon as I can.

	input := &awssm.CreateSecretInput{
		Name:               &secretName,
		SecretBinary:       value,
		Tags:               tags,
		Description:        utilpointer.To(mdata.Spec.Description),
		ClientRequestToken: utilpointer.To(initialVersion),
//		KmsKeyId: utilpointer.To(mdata.Spec.KMSKeyID), -> This is NOT there. But should be.
	}

And obviously on the decode side as well when we fetch.

[Mpluya]

@Skarlso Thank you for the quick action on this.