ExternalSecret that refer ECRAuthorizationToken not work in 0.18.0

[maodahua]

Describe the bug
After we upgrade the external-secrets version to 0.18.0, the externalsecret that refer the ECRAuthorizationToken report the error, but it works with version 0.17.0(refer the manifest below, it works).
looks like it will not use the IRSA permission to perform the ECR: GetAuthorizationToken. The logs find in controller:

{"level":"error","ts":1750228541.0351596,"msg":"Reconciler error","controller":"externalsecret","controllerGroup":"external-secrets.io","controllerKind":"ExternalSecret","ExternalSecret":{"name":"repository-ecr","namespace":"argocd"},"namespace":"argocd","name":"repository-ecr","reconcileID":"xxxxxxxxx","error":"error processing spec.dataFrom[0].sourceRef.generatorRef, err: error using generator: unable to get authorization token: operation error ECR: GetAuthorizationToken, https response error StatusCode: 400, RequestID: xxxxxxxxx, api error MissingAuthenticationTokenException: Missing Authentication Token","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.21.0/pkg/internal/controller/controller.go:353\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.21.0/pkg/internal/controller/controller.go:300\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.21.0/pkg/internal/controller/controller.go:202"}

To Reproduce
Steps to reproduce the behavior:

1. The ECRAuthorizationToken manifest

apiVersion: generators.external-secrets.io/v1alpha1
kind: ECRAuthorizationToken
metadata:
  name: ecr-auth-token
  namespace: argocd
spec:
  region: ap-southeast-2

2. The ExternalSecret manifest

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: repository-ecr
  namespace: argocd
spec:
  dataFrom:
  - sourceRef:
      generatorRef:
        apiVersion: generators.external-secrets.io/v1alpha1
        kind: ECRAuthorizationToken
        name: ecr-auth-token
  refreshInterval: 30m
  target:
    creationPolicy: Owner
    deletionPolicy: Retain
    template:
      data:
        enableOCI: "true"
        password: "{{ .password }}"
        type: helm
        url: 11111111111.dkr.ecr.ap-southeast-2.amazonaws.com
        username: "{{ .username }}"
      engineVersion: v2
      mergePolicy: Replace
      metadata:
        labels:
          argocd.argoproj.io/secret-type: repo-creds
      type: Opaque

The AWS role permission:

Kubernetes version: 1.31(EKS)
ESO version: 0.18.0

Expected behavior
The ExternalSecret should works fine with ECRAuthorizationToken. I know there are some refactor of AWS, but from the docs, not mention the manifest need some change(diff the old version with the latest).

[probitaille-axso]

we're in the same boat, also experiencing this issue..

[gusfcarvalho]

can you all try to add a AWS_REGION environment variable to your external-secrets pod to see if it works as a workaround? I think this might be related with #4934

[gazal-k]

can you all try to add a AWS_REGION environment variable to your external-secrets pod to see if it works as a workaround? I think this might be related with #4934

I suppose we should have mentioned, we already use IRSA for the controller. As in, not fine grained IRSA associated with each SecretStore.

So, due to how IRSA works, the controller Pods already have AWS_REGION env var. The env section for controller Pods look like:

    env:
    - name: AWS_STS_REGIONAL_ENDPOINTS
      value: regional
    - name: AWS_DEFAULT_REGION
      value: ap-southeast-2
    - name: AWS_REGION
      value: ap-southeast-2
    - name: AWS_ROLE_ARN
      value: arn:aws:iam::{accountId}:role/{role-name}
    - name: AWS_WEB_IDENTITY_TOKEN_FILE
      value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token

[Skarlso]

Ugh, most likely something with AWS SDK v2. @Ilhan-Personal any ideas? 🙇

[karloscarrijozup]

Same issue here, for context we use Pod Identity, and this is the error I get on the daemonset:

eks-pod-identity-agent-tvscr eks-pod-identity-agent {"association-id":"a-1tlv7jypxfjslotbc","client-addr":"10.144.2.172:36220","cluster-name":"test1","from":"renewal-thread","level":"info","msg":"Removing credentials from cache, got non recoverable error: error getting credentials to cache: unable to fetch credentials from EKS Auth: operation error EKS Auth: AssumeRoleForPodIdentity, https response error StatusCode: 400, RequestID: e8233c5e-5d65-4355-bb64-39d6158b4eef, ExpiredTokenException: The token included in the request is expired: current date/time 2025-06-18T21:20:55.347735677Z must be before the expiration date/time 2025-06-18T20:45:00Z.","time":"2025-06-18T21:20:55Z"}

[Ilhan-Personal]

Looking

[Skarlso]

Thanks! :) Maybe it's scope related? Maybe try setting public scope? 🤔

[Ilhan-Personal]

Heyy @Skarlso why do you think it would be scope related?

also QQ, I noticed that the function to return webidentityroleprovider accepts an argument for region but it looks like I probably missed to include the region while setting up the config, But yes I'm not 100% sure I thought the credential chain would handle this since we're specifying the env var anyway

https://github.com/external-secrets/external-secrets/pull/4940/files#diff-7716174091c7f7fad44cb0df854f13815330251a6d5bb610fc6966c74dcc9789R301

EDIT:

The above is probably not related to the current issue but it could be a fix for a different issue
#4934

[estevaofay]

Got the same issue:

apiVersion: generators.external-secrets.io/v1alpha1
kind: ECRAuthorizationToken
metadata:
  name: ecr-gen
spec:
  region: sa-east-1
  auth:
    secretRef:
      accessKeyIDSecretRef:
        name: "ecr-creds"
        key: "AWS_ACCESS_KEY_ID"
      secretAccessKeySecretRef:
        name: "ecr-creds"
        key: "AWS_SECRET_ACCESS_KEY"

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: ecr-creds
spec:
  refreshInterval: 1m
  secretStoreRef:
    name: aws-secrets-manager
    kind: ClusterSecretStore
  target:
    name: ecr-creds
    creationPolicy: Owner
  data:
  - secretKey: AWS_ACCESS_KEY_ID
    remoteRef:
      key: ecr-auth
      property: AWS_ACCESS_KEY_ID
  - secretKey: AWS_SECRET_ACCESS_KEY
    remoteRef:
      key: ecr-auth
      property: AWS_SECRET_ACCESS_KEY
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: "ecr-auth"
spec:
  refreshInterval: "1h"
  target:
    name: ecr-auth
    template:
      type: kubernetes.io/dockerconfigjson
      metadata:
        annotations:
          expiresAt: "{{ .expires_at }}"
      data:
        .dockerconfigjson: |
          {
            "auths": {
             {{ "{{ .proxy_endpoint | replace \"https://\" \"\" }}" }}: {
                "username": "{{ .username }}",
                "password": "{{ .password }}",
                "auth": "{{ printf "%s:%s" .username .password | b64enc }}"
              }
            }
          }
  dataFrom:
    - sourceRef:
        generatorRef:
          apiVersion: generators.external-secrets.io/v1alpha1
          kind: ECRAuthorizationToken
          name: "ecr-gen"

This is the error I get

Secret "ecr-auth" is invalid: data[.dockerconfigjson]: Invalid value: "<secret contents redacted>": invalid character '9' looking for beginning of object key string

This is the live manifest I see in argocd

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: >
      {"apiVersion":"external-secrets.io/v1beta1","kind":"ExternalSecret","metadata":{"annotations":{},"labels":{"app.kubernetes.io/instance":"nw-backend"},"name":"ecr-auth","namespace":"nw"},"spec":{"dataFrom":[{"sourceRef":{"generatorRef":{"apiVersion":"generators.external-secrets.io/v1alpha1","kind":"ECRAuthorizationToken","name":"ecr-gen"}}}],"refreshInterval":"1h","target":{"name":"ecr-auth","template":{"data":{".dockerconfigjson":"{\n 
      \"auths\": {\n   {{ .proxy_endpoint | replace \"https://\" \"\" }}:
      {\n      \"username\": \"\",\n      \"password\": \"\",\n      \"auth\":
      \"JSFzKDxuaWw+KTolIXMoPG5pbD4p\"\n    }\n 
      }\n}\n"},"metadata":{"annotations":{"expiresAt":""}},"type":"kubernetes.io/dockerconfigjson"}}}}
  creationTimestamp: '2025-06-21T21:25:48Z'
  generation: 4
  labels:
    app.kubernetes.io/instance: nw-backend
  name: ecr-auth
  namespace: nw
  resourceVersion: '4481308'
  uid: aeaec56c-1e28-4e17-b891-13de213fedd0
spec:
  dataFrom:
    - sourceRef:
        generatorRef:
          apiVersion: generators.external-secrets.io/v1alpha1
          kind: ECRAuthorizationToken
          name: ecr-gen
  refreshInterval: 1h
  target:
    creationPolicy: Owner
    deletionPolicy: Retain
    name: ecr-auth
    template:
      data:
        .dockerconfigjson: |
          {
            "auths": {
             {{ .proxy_endpoint | replace "https://" "" }}: {
                "username": "",
                "password": "",
                "auth": "JSFzKDxuaWw+KTolIXMoPG5pbD4p"
              }
            }
          }
      engineVersion: v2
      mergePolicy: Replace
      metadata:
        annotations:
          expiresAt: ''
      type: kubernetes.io/dockerconfigjson
status:
  binding:
    name: ''
  conditions:
    - lastTransitionTime: '2025-06-21T21:25:48Z'
      message: could not update secret
      reason: SecretSyncedError
      status: 'False'
      type: Ready
  refreshTime: null

And if we decode JSFzKDxuaWw+KTolIXMoPG5pbD4p we get !s(<nil>):%!s(<nil>) which is the same thing I see in logs

to me it just looks like it didn't work at all and documentation has no examples (and one example with bad quotes that took me forever to debug)

[gusfcarvalho]

Got the same issue:

apiVersion: generators.external-secrets.io/v1alpha1
kind: ECRAuthorizationToken
metadata:
name: ecr-gen
spec:
region: sa-east-1
auth:
secretRef:
accessKeyIDSecretRef:
name: "ecr-creds"
key: "AWS_ACCESS_KEY_ID"
secretAccessKeySecretRef:
name: "ecr-creds"
key: "AWS_SECRET_ACCESS_KEY"
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: ecr-creds
spec:
refreshInterval: 1m
secretStoreRef:
name: aws-secrets-manager
kind: ClusterSecretStore
target:
name: ecr-creds
creationPolicy: Owner
data:

• secretKey: AWS_ACCESS_KEY_ID
  remoteRef:
  key: ecr-auth
  property: AWS_ACCESS_KEY_ID
• secretKey: AWS_SECRET_ACCESS_KEY
  remoteRef:
  key: ecr-auth
  property: AWS_SECRET_ACCESS_KEY

---

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: "ecr-auth"
spec:
refreshInterval: "1h"
target:
name: ecr-auth
template:
type: kubernetes.io/dockerconfigjson
metadata:
annotations:
expiresAt: "{{ .expires_at }}"
data:
.dockerconfigjson: |
{
"auths": {
{{ "{{ .proxy_endpoint | replace "https://" "" }}" }}: {
"username": "{{ .username }}",
"password": "{{ .password }}",
"auth": "{{ printf "%s:%s" .username .password | b64enc }}"
}
}
}
dataFrom:
- sourceRef:
generatorRef:
apiVersion: generators.external-secrets.io/v1alpha1
kind: ECRAuthorizationToken
name: "ecr-gen"
This is the error I get

Secret "ecr-auth" is invalid: data[.dockerconfigjson]: Invalid value: "<secret contents redacted>": invalid character '9' looking for beginning of object key string

This is the live manifest I see in argocd

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: >
{"apiVersion":"external-secrets.io/v1beta1","kind":"ExternalSecret","metadata":{"annotations":{},"labels":{"app.kubernetes.io/instance":"nw-backend"},"name":"ecr-auth","namespace":"nw"},"spec":{"dataFrom":[{"sourceRef":{"generatorRef":{"apiVersion":"generators.external-secrets.io/v1alpha1","kind":"ECRAuthorizationToken","name":"ecr-gen"}}}],"refreshInterval":"1h","target":{"name":"ecr-auth","template":{"data":{".dockerconfigjson":"{\n
"auths": {\n {{ .proxy_endpoint | replace "https://" "" }}:
{\n "username": "",\n "password": "",\n "auth":
"JSFzKDxuaWw+KTolIXMoPG5pbD4p"\n }\n
}\n}\n"},"metadata":{"annotations":{"expiresAt":""}},"type":"kubernetes.io/dockerconfigjson"}}}}
creationTimestamp: '2025-06-21T21:25:48Z'
generation: 4
labels:
app.kubernetes.io/instance: nw-backend
name: ecr-auth
namespace: nw
resourceVersion: '4481308'
uid: aeaec56c-1e28-4e17-b891-13de213fedd0
spec:
dataFrom:
- sourceRef:
generatorRef:
apiVersion: generators.external-secrets.io/v1alpha1
kind: ECRAuthorizationToken
name: ecr-gen
refreshInterval: 1h
target:
creationPolicy: Owner
deletionPolicy: Retain
name: ecr-auth
template:
data:
.dockerconfigjson: |
{
"auths": {
{{ .proxy_endpoint | replace "https://" "" }}: {
"username": "",
"password": "",
"auth": "JSFzKDxuaWw+KTolIXMoPG5pbD4p"
}
}
}
engineVersion: v2
mergePolicy: Replace
metadata:
annotations:
expiresAt: ''
type: kubernetes.io/dockerconfigjson
status:
binding:
name: ''
conditions:
- lastTransitionTime: '2025-06-21T21:25:48Z'
message: could not update secret
reason: SecretSyncedError
status: 'False'
type: Ready
refreshTime: null
And if we decode JSFzKDxuaWw+KTolIXMoPG5pbD4p we get !s(<nil>):%!s(<nil>) which is the same thing I see in logs

to me it just looks like it didn't work at all and documentation has no examples (and one example with bad quotes that took me forever to debug)

Your problem seems to be something with how you’re injecting the manifests than this bug. The live manifests should contain the templates; the fact they don’t have them means you’re probably using a helm renderer 🙂, which is unrelated

[gusfcarvalho]

@maodahua can you verify if this image ghcr.io/external-secrets/external-secrets:main@sha256:50a6d9b763b34e4afe9c4a4b7e87508c8bef29ffa8b5140de9d449dd726e50cb fixes this issue?

Image ref: https://github.com/external-secrets/external-secrets/actions/runs/15808006710/job/44555482486

[michelesr]

@maodahua can you verify if this image ghcr.io/external-secrets/external-secrets:main@sha256:50a6d9b763b34e4afe9c4a4b7e87508c8bef29ffa8b5140de9d449dd726e50cb fixes this issue?

Image ref: https://github.com/external-secrets/external-secrets/actions/runs/15808006710/job/44555482486

We experienced a similar issue (with a generic secret store, no ECRAuthorizationToken):

 "msg":"unable to validate store","secretstore":{"name":"foo","namespace":"foo"},"error":"could not validate provider: failed to refresh cached credentials, failed to retrieve credentials, operation error STS: AssumeRoleWithWebIdentity, failed to resolve service endpoint, endpoint rule error, Invalid Configuration: Missing Region"

The suggested image above seems to have fixed the problem.

[maodahua]

@maodahua can you verify if this image ghcr.io/external-secrets/external-secrets:main@sha256:50a6d9b763b34e4afe9c4a4b7e87508c8bef29ffa8b5140de9d449dd726e50cb fixes this issue?

Image ref: https://github.com/external-secrets/external-secrets/actions/runs/15808006710/job/44555482486

Hi @gusfcarvalho I am on leave till this Wed, will test it when I am back 🚀

[paulpowerwv]

Hi @gusfcarvalho, faced a similar issue with an AWS secret store and using the above image ghcr.io/external-secrets/external-secrets:main from #4940 resolved the Invalid Configuration: Missing Region error just to also confirm the changes