Skip to content

PushSecret support for resource based policy (AWS SecretsManager) #5395

Closed
#5399
Closed
PushSecret support for resource based policy (AWS SecretsManager)#5395
#5399
Labels
area/awsIndicates an issue or PR related to AWS.kind/featureCategorizes issue or PR as related to a new feature.
@cmoscofian

Description

@cmoscofian
cmoscofian
opened on Oct 1, 2025

Is your feature request related to a problem? Please describe.
Not a problem per say, but would be a nice quality of life improvement if PushSecret could also support creating/ updating reosurce policies on AWS SecretsManager. Currently I have a very ABAC driven solution that makes extensive use of session tags in conjunction with identity and resource policies to harden secrets access. But, the secrets created by push secrets need to be treated as a separate process due to ESO operator not supporting it.
My current use case is specific to AWS SecretsManager but I imagine the idea can be extended to other service/ cloud providers that support resource based policy (GCP for example has a similar model to AWS on this and ParameterStore has support for resource based policy).

Describe the solution you'd like
It would be great if the resource policy could be passed into PushSecret as an optional field part of the PushSecretMetadata.

For example:

apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: pushsecret-example
  namespace: teamb
spec:
  deletionPolicy: Delete
  refreshInterval: 1h
  secretStoreRefs:
    - name: teamb-secret-store
      kind: SecretStore
  selector:
    secret:
      name: my-secret
  data:
    - match:
        secretKey: key1
        remoteRef:
          remoteKey: teamb-my-first-parameter-3
      metadata:
        apiVersion: kubernetes.external-secrets.io/v1alpha1
        kind: PushSecretMetadata
        spec:
          resourcePolicy:
            # AWS flag to harden the resource policy validation
            blockPublicPolicy: true
            # Allow passing the resource policy as a key from a ConfigMap, could
            # also maybe be read from a Secret or just the raw string
            policySourceRef:
                kind: ConfigMap
                name: my-secret-resource-policy
                key: policy.json
          kmsKeyID: bb123123-b2b0-4f60-ac3a-44a13f0e6b6c
          secretPushFormat: string
          description: "secret 'managed-by:secret-manager' from 'secret-store:teamb-secret-store'"
          tags:
            secret-store: teamb-secret-store
            refresh-interval: 1h

For AWS this would require the operator/ secret store role to have PutResourcePolicy as an allowed action.
Also, AWS does not allow passing the resource policy as a param to their CreateSecret or PutSecretValue calls, this would have to be a second api in the reconciliation after the first call has returned succesfully.

Describe alternatives you've considered

  • Precreate secrets with policy, let ESO only PutSecretValue. This removes drift but it defeats the purpose of PushSecret for creation leaving it only as a sync tool
  • Manual post creating: Having a manual script/ job/ hook that scans secrets missing resource policy and attach to it. It creates an exposure window from ABAC and is very error prone cumbersome.

Additional context

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/awsIndicates an issue or PR related to AWS.kind/featureCategorizes issue or PR as related to a new feature.

    Type

    No type

    Projects

    External Secrets

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions