Describe the bug
When using PushSecret to sync a secret to AWS Secrets Manager, tag and resource policy updates are silently ignored if the secret value hasn't changed. The putSecretValueWithContext function has an early-return optimization that skips all processing (including patchTags() and manageResourcePolicy()) when the secret value is identical to the existing value in AWS.
This means if you update only the tags or resource policy in your PushSecret metadata without changing the secret value, the changes are never applied to AWS.
To Reproduce
- Create a PushSecret that syncs a secret to AWS Secrets Manager with initial tags:
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
name: my-push-secret
spec:
secretStoreRefs:
- name: aws-secretsmanager
kind: SecretStore
selector:
secret:
name: my-secret
data:
- match:
secretKey: password
remoteRef:
remoteKey: my-aws-secret
metadata:
apiVersion: kubernetes.external-secrets.io/v1alpha1
kind: PushSecretMetadata
spec:
tags:
environment: dev
-
Wait for initial sync (secret created in AWS with environment: dev tag)
-
Update the PushSecret to change the tag without changing the secret value:
spec:
tags:
environment: prod # changed from dev to prod
-
Wait for reconciliation
-
Check AWS Secrets Manager - the tag is still environment: dev
Kubernetes version: Any
ESO version: Current main branch (providers/v1/aws/secretsmanager)
Expected behavior
When updating PushSecret metadata (tags or resource policy), the changes should be applied to AWS Secrets Manager even if the secret value hasn't changed. Tags and secret values are independent concerns and should be synced independently.
Screenshots
N/A
Additional context
The bug is in providers/v1/aws/secretsmanager/secretsmanager.go in the putSecretValueWithContext function (lines 618-661). The early return at line 619-621 exits before patchTags() and manageResourcePolicy() are called:
if awsSecret != nil && (bytes.Equal(awsSecret.SecretBinary, value) || esutils.CompareStringAndByteSlices(awsSecret.SecretString, value)) {
return nil // BUG: exits here, skipping tag/policy updates
}I have a fix ready and will submit a PR.
Describe the bug
When using PushSecret to sync a secret to AWS Secrets Manager, tag and resource policy updates are silently ignored if the secret value hasn't changed. The
putSecretValueWithContextfunction has an early-return optimization that skips all processing (includingpatchTags()andmanageResourcePolicy()) when the secret value is identical to the existing value in AWS.This means if you update only the tags or resource policy in your PushSecret metadata without changing the secret value, the changes are never applied to AWS.
To Reproduce
Wait for initial sync (secret created in AWS with
environment: devtag)Update the PushSecret to change the tag without changing the secret value:
Wait for reconciliation
Check AWS Secrets Manager - the tag is still
environment: devKubernetes version: Any
ESO version: Current main branch (providers/v1/aws/secretsmanager)
Expected behavior
When updating PushSecret metadata (tags or resource policy), the changes should be applied to AWS Secrets Manager even if the secret value hasn't changed. Tags and secret values are independent concerns and should be synced independently.
Screenshots
N/A
Additional context
The bug is in
providers/v1/aws/secretsmanager/secretsmanager.goin theputSecretValueWithContextfunction (lines 618-661). The early return at line 619-621 exits beforepatchTags()andmanageResourcePolicy()are called:I have a fix ready and will submit a PR.