PushSecret error pushing to an AWS Secrets Manager Secret when there are no secret values

[nirajsapkota]

Describe the bug

When you use PushSecret to push to a newly created AWS Secrets Manager Secret that has never had a secret value set, the PushSecret will fail with the following error:

Warning  Errored  1s (x3 over 2s)  pushsecret  set secret failed: could not write remote ref password to target secretstore secrets-manager: ResourceExistsException: The operation failed because the secret my-cool-secret already exists.

To Reproduce

1. Create a AWS Secrets Manager Secret

aws secretsmanager create-secret --name my-cool-secret --region ap-southeast-2

2. Create a Push Secret

apiVersion: generators.external-secrets.io/v1alpha1
kind: Password
metadata:
  namespace: my-cool-service
  name: password-generator
spec:
  length: 42
  digits: 5
  symbols: 5
  symbolCharacters: "-_$@"
  noUpper: false
  allowRepeat: true
---
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  namespace: my-cool-service
  name: password
spec:
  # secretStoreRef omitted
  selector:
    generatorRef:
      apiVersion: generators.external-secrets.io/v1alpha1
      kind: Password
      name: password-generator
  data:
    - match:
        secretKey: password
        remoteRef:
          remoteKey: my-cool-secret
          property: password

Kubernetes Version: v1.31.7-eks-4096722
External Secrets Operator Version: v0.15.1

Expected behavior
It should successfully write to the secrets manager secret and create the first secret version.

Potential Cause
I believe the issue is due to a bug in the PushSecret function. The PushSecret function calls GetSecretValueWithContext. However, since a secret value does not exist in this scenario we will fall through to trying to create the secret. But, the secret does already exist, so this is likely the cause the error described in this issue.

external-secrets/pkg/provider/aws/secretsmanager/secretsmanager.go

Line 253 in 0fcf972

awsSecret, err := sm.client.GetSecretValueWithContext(ctx, &secretValue)

Additional context
Although, creating AWS Secrets Manager Secrets through the AWS console makes you provide an initial secret value it is not required. You can create AWS Secrets Manager Secrets without an initial secret value using either the CLI or other IaaC tools such as Terraform.

[nirajsapkota]

I think using DescribeSecret instead of GetSecretValue would solve the problem and would be happy to contribute a fix if this issue is accepted.

[Skarlso]

Hello. Please hold off on AWS contributions until the V2 migration is complete here -> #4484.

[Skarlso]

Otherwise, if the problem still exists after that of course we would be very happy to help you along with a contribution. :) 🙇