Issue with Base64 Decoding in PushSecret for AWS Parameter Store

[atali]

Description:

I am trying to push a secret to AWS Parameter Store using external-secrets (PushSecret) and encountered an issue with the Base64 decoding of certain fields. Specifically, the dbname and username fields are not being decoded correctly, while the password field works as expected.

Input Secret:

Here is the Kubernetes Secret I am working with:

apiVersion: v1
data:
  dbname: YXBw
  password: bnh5MDhjZmExanhVWGtYMjRoeE14WWlBSmxlQWZMeFE=
  username: c3VwYWJhc2VfYWRtaW4=
kind: Secret
metadata:
  name: postgres-credentials
  namespace: database-dev-ca
type: Opaque

PushSecret:

Here is the PushSecret configuration:

apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: postgres-credentials
  namespace: database-dev-ca
spec:
  data:
  - conversionStrategy: None
    match:
      remoteRef:
        remoteKey: /xxxxxxx/dev/postgres-creds
    metadata:
      parameterStoreType: SecureString
  deletionPolicy: Delete
  refreshInterval: 1h
  secretStoreRefs:
  - kind: ClusterSecretStore
    name: aws-cluster-secret-store
  selector:
    secret:
      name: postgres-credentials
  template:
    data:
      dbname: '{{ .dbname | b64dec }}'
      password: '{{ .password | b64dec }}'
      username: '{{ .username | b64dec }}'
    engineVersion: v2
    mergePolicy: Replace
  updatePolicy: Replace

Expected Output:

In AWS Parameter Store, I expected the following decoded secret:

{"dbname":"app","password":"nxy08cfa1jxUXkX24hxMxYiAJleAfLxQ","username":"supabase_admin"}

Actual Output:

However, I got the following:

{"dbname":"aWxsZWdhbCBiYXNlNjQgZGF0YSBhdCBpbnB1dCBieXRlIDA=","password":"nxy08cfa1jxUXkX24hxMxYiAJleAfLxQ","username":"aWxsZWdhbCBiYXNlNjQgZGF0YSBhdCBpbnB1dCBieXRlIDg="}

Additional Debugging:

When manually decoding the dbname and username values, I encountered errors:

• Decoding aWxsZWdhbCBiYXNlNjQgZGF0YSBhdCBpbnB1dCBieXRlIDA= results in: illegal base64 data at input byte 0
• Decoding aWxsZWdhbCBiYXNlNjQgZGF0YSBhdCBpbnB1dCBieXRlIDg= results in: illegal base64 data at input byte 8
• The password field is decoded correctly and works as expected.

Question:
• Is there something wrong with how I am using the b64dec function in the PushSecret template?
• Could there be an issue with how the external-secrets operator handles Base64 decoding for these fields?

Any insights or suggestions on what I might be doing wrong would be greatly appreciated!

Let me know if you need further details or logs.

external-secrets: 0.12.1

[gusfcarvalho]

@atali hi! why did you add b64dec in the first place? anything rendered by the templates are read without being encoded.

[atali]

Hi @gusfcarvalho , thank you for your help.

I tried at the beginning without the b64dec with the following :

apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: postgres-credentials
spec:
  deletionPolicy: Delete
  refreshInterval: 1h
  secretStoreRefs:
    - name: aws-cluster-secret-store
      kind: ClusterSecretStore
  selector:
    secret:
      name: postgres-credentials
  data:
    - match:
        remoteRef:
          remoteKey: /xxxxxxx/dev/postgres-creds
      metadata:
        parameterStoreType: SecureString

But I got the base64 version for the values :

{"dbname":"YXBw","password":"S045bDFlT2ZKNUZ1ZFY3YkZ5WEN2eXk0VG9GUGp2dWc=","username":"c3VwYWJhc2VfYWRtaW4="}

Then I tried the following :

apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: postgres-credentials
spec:
  deletionPolicy: Delete
  refreshInterval: 1h
  secretStoreRefs:
    - name: aws-cluster-secret-store
      kind: ClusterSecretStore
  selector:
    secret:
      name: postgres-credentials
  template:
    engineVersion: v2
    data:
      dbname: "{{ .dbname }}"
      username: "{{ .username }}"
      password: "{{ .password }}"
  data:
    - match:
        remoteRef:
          remoteKey: /xxxxxxx/dev/postgres-creds
      metadata:
        parameterStoreType: SecureString

and I got the same value

{"dbname":"YXBw","password":"S045bDFlT2ZKNUZ1ZFY3YkZ5WEN2eXk0VG9GUGp2dWc=","username":"c3VwYWJhc2VfYWRtaW4="}

I was expecting to have the decoded version pushed to parameter store. I am not sure what I am doing wrong ?

extra info:

$ kubectl get secret postgres-credentials -n database-dev-ca -o jsonpath='{.data.username}' | base64 -d
supabase_admin
$ kubectl get secret postgres-credentials -n database-dev-ca -o jsonpath='{.data.password}' | base64 -d
KN9l1eOfJ5FudV7bFyXCvyy4ToFPjvug
$ kubectl get secret postgres-credentials -n database-dev-ca -o jsonpath='{.data.dbname}' | base64 -d
app

[gusfcarvalho]

can you try using different names for the template out of a test?

  template:
    engineVersion: v2
    data:
      dbname2: "{{ .dbname  | b64dec }}"
      username2: "{{ .username  | b64dec }}"
      password2: "{{ .password | b64dec }}"

[atali]

@gusfcarvalho, here the result, the actual secret + the template are merged ( according to the source code, it seems expected)

{
   "dbname":"YXBw",
   "dbname2":"aWxsZWdhbCBiYXNlNjQgZGF0YSBhdCBpbnB1dCBieXRlIDA=",
   "password":"S045bDFlT2ZKNUZ1ZFY3YkZ5WEN2eXk0VG9GUGp2dWc=",
   "password2":"KN9l1eOfJ5FudV7bFyXCvyy4ToFPjvug",
   "username":"c3VwYWJhc2VfYWRtaW4=",
   "username2":"aWxsZWdhbCBiYXNlNjQgZGF0YSBhdCBpbnB1dCBieXRlIDg="
}

As you can see if you decode dbname2 and username2 you getillegal base64 data at input byte 0 and illegal base64 data at input byte 8. Only password2 is decoded correctly.

[atali]

Hello @gusfcarvalho , do you have any idea what cause that issue ?

[Skarlso]

@atali if you could check out this PR: #4277 it has a command. You could test your template and see what it renders and then quickly play around with the values to figure out where they are broken.

Also would be a good feedback for the tool on what it could provide you with to make the debugging easier.

[atali]

Hi @Skarlso,

Thank you! I tried the tool, and it was incredibly helpful in identifying the root cause of the problem. I believe it’s worth merging into the main branch.

To clarify, the issue isn’t with the encoding/decoding at the template level. After revisiting what @gusfcarvalho mentioned initially, it now makes sense that the templates are being read without being encoded.

The real issue seems to occur when data is pushed to AWS Parameter Store. Specifically, in the following line of code:

external-secrets/pkg/provider/aws/parameterstore/parameterstore.go

Line 174 in 46726d8

value, err = utils.JSONMarshal(secret.Data)

At this point, the value is being marshalled, which results in a base64-encoded value being stored in Parameter Store.

Would it be possible to add an option to disable the encoding step, allowing the original value to be pushed to AWS Parameter Store without being altered?

Thank you for considering this, I am stuck without that feature :-(

[Skarlso]

@atali Nice! I'm so glad this helped you out. :)

Actually I think this already caused some issues somewhere else too. I'll try looking to what I can do about it.

[atali]

@Skarlso thank you so much :-) I am eager to test it

[atali]

Hi @Skarlso , I am wondering if any update on this issue please ?

[Skarlso]

Hello. I didn't have the time to deal with this yet, sorry. :/ It is on my todo list though. :D

[atali]

Thank you :-)

[Skarlso]

Okay, so, the issue here is that it's getting double encoded, right? So, if it's BASE64 already, don't do the encoding... Did I get that right? 🤔