Skip to content

Tag and resource policy updates ignored when secret value unchanged (AWS Secrets Manager) #6024

Closed
#6025
Closed
Tag and resource policy updates ignored when secret value unchanged (AWS Secrets Manager)#6024
#6025
Assignees
evs-secops
Labels
kind/bugCategorizes issue or PR as related to a bug.
@evs-secops

Description

@evs-secops
evs-secops
opened on Mar 5, 2026

Describe the bug

When using PushSecret to sync a secret to AWS Secrets Manager, tag and resource policy updates are silently ignored if the secret value hasn't changed. The putSecretValueWithContext function has an early-return optimization that skips all processing (including patchTags() and manageResourcePolicy()) when the secret value is identical to the existing value in AWS.

This means if you update only the tags or resource policy in your PushSecret metadata without changing the secret value, the changes are never applied to AWS.

To Reproduce

  1. Create a PushSecret that syncs a secret to AWS Secrets Manager with initial tags:
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: my-push-secret
spec:
  secretStoreRefs:
    - name: aws-secretsmanager
      kind: SecretStore
  selector:
    secret:
      name: my-secret
  data:
    - match:
        secretKey: password
        remoteRef:
          remoteKey: my-aws-secret
      metadata:
        apiVersion: kubernetes.external-secrets.io/v1alpha1
        kind: PushSecretMetadata
        spec:
          tags:
            environment: dev

  1. Wait for initial sync (secret created in AWS with environment: dev tag)

  2. Update the PushSecret to change the tag without changing the secret value:

spec:
  tags:
    environment: prod  # changed from dev to prod

  1. Wait for reconciliation

  2. Check AWS Secrets Manager - the tag is still environment: dev

Kubernetes version: Any
ESO version: Current main branch (providers/v1/aws/secretsmanager)

Expected behavior

When updating PushSecret metadata (tags or resource policy), the changes should be applied to AWS Secrets Manager even if the secret value hasn't changed. Tags and secret values are independent concerns and should be synced independently.

Screenshots

N/A

Additional context

The bug is in providers/v1/aws/secretsmanager/secretsmanager.go in the putSecretValueWithContext function (lines 618-661). The early return at line 619-621 exits before patchTags() and manageResourcePolicy() are called:

if awsSecret != nil && (bytes.Equal(awsSecret.SecretBinary, value) || esutils.CompareStringAndByteSlices(awsSecret.SecretString, value)) {
    return nil  // BUG: exits here, skipping tag/policy updates
}

I have a fix ready and will submit a PR.

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.

Type

No type

Projects

External Secrets

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions