Allow to get parameters by path for AWS Systems Manager Parameter Store provider

[jacekpuczko]

I'm looking into migrating from deprecated Kubernetes External Secrets but I found out that the functionality of fetching all parameters by the path from AWS Systems Manager Parameter Store, available in Kubernetes External Secrets, is missing in the External Secrets Operator. It was already reported in:

#431

Currently, I'm using the path prefix in the parameter store to identify all secrets keys owned by a single service and use kubernetes-client.io/ExternalSecret resource to create a k8s secret with multiple keys without a need to specify every key or need to update any k8s resources when I add a new parameter. Because there is a lot of keys per secret and many services it's a huge overhead having to declare every key in the external secret resource.

Instead of having to specify every parameter:

apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
  name: service-name
spec:
  # [omitted for brevity]
  data:
    - secretKey: PASSWORD1
      remoteRef:
        key: /service-name/PASSWORD1
    - secretKey: PASSWORD2
      remoteRef:
        key: /service-name/PASSWORD2
    # Followed by more
  target:
    name: service-name

I'd like to use the path prefix to fetch all keys for the service (not sure if dataFrom was intended for this purpose)

apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
  name: service-name
spec:
  # [omitted for brevity]
  dataFrom:
    - key: /service-name/
  target:
    name: service-name

Example of the current usage with Kubernetes external secrets:

apiVersion: 'kubernetes-client.io/v1'
kind: ExternalSecret
metadata:
  name: service-name
  namespace: namespace
spec:
  backendType: systemManager
  data:
    - path: /service-name/
      recursive: false

The proposed alternative solution using a JSON string to store multiple keys wouldn't work for me for 2 reasons:

1. AWS Systems Manager Parameter Store has a value limit of 4 KB in the free tier, 8 KB for the advanced option, this will be not enough to store all the keys for some of the services.
2. A JSON, especially a big one, won't be readable in the AWS Web console.

Is there a plan to implement this functionality?
If not, Could you please provide some direction on how to contribute to adding this feature?
Is it possible to implement one using the current externalsecret.external-secrets.io resource, dataFrom element or it would require changes to CRDs? Would the changes be limited to the Parameter store provider adapter (parameterstore.go file)?

[gusfcarvalho]

Hi @jacekpuczko! We already addressed this functionality on #820. It should be available on our next release, 0.5.0, although it will work in a different manner then path referencing. I believe, for instance, we cannot currently specify recursiveness (by default all calls are recursive).
To use the preview feature, you would need to define the ExternalSecrets using dataFrom.find (this is only available in v1beta1 CRD):

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: service-name
spec:
  # [omitted for brevity]
  dataFrom:
    - find:
        name:
          regexp: /service-name/.*$ # you can try a regexp that blocks recursiveness if you need to.
  target:
    name: service-name

If I recall correctly, this will render the following k8s Secret:

apiVersion: v1
kind: Secret
metadata:
  name: service-name
data:
  service-name_PASSSWORD1: cGFzc3dvcmQ=
  service-name_PASSSWORD2: cGFzc3dvcmQ=
  service-name_PASSSWORD3: cGFzc3dvcmQ=

You can try this preview feature by installing external-secrets using the latest image. Just remember you need to use the helm charts available at deploy/charts/external-secrets, and not the released ones. Be sure as well to run make helm.generate before running helm install so you have the appropriate CRDs available locally.

After trying it out, then we can see if this feature needs any adjustment for your specific use case =)

P.S.: The method in parameterstore.go is GetAllSecrets, if you want to check it out.

[jacekpuczko]

Hi @gusfcarvalho, sounds great, thank you :) I'll test it as soon as possible.

[jacekpuczko]

Hi @gusfcarvalho, it works for me :) Is there a way to translate parameters that the secret keys have no path prefixes?
Now I get:

data:
  _service-name_PASSWORD1: cGFzc3dvcmQ=
  _service-name_PASSWORD2: cGFzc3dvcmQ=

and would be great to have:

data:
  PASSWORD1: cGFzc3dvcmQ=
  PASSWORD2: cGFzc3dvcmQ=

That way migration from Kubernetes External Secrets would be easier because I wouldn't have to update the environment variables injected in deployments.
I've tried to change the regex to /service-name/(.*)$, but the result is the same.
Thanks!

[moolen]

hey @jacekpuczko, thank you for bringing this up!
Your problem with rewriting the keys is yet an open issue. While looking at your regexp i noticed the capture group and i think that would actually be a pretty neat way of adding that. Tho i think we still need to support multiple ways of rewriting keys. We should create a design document for that as this is a very common use-case.

[gusfcarvalho]

@moolen specifically for this use case, in vault provider I used the Path to allow filtering out “the root path” from the secrets. (i.e. searching regexp dev/ would lead to different results to secret key names than searching path dev/ and a wildcard regexp) Maybe this can be done in AWS provider as well (and generally speaking, making Path useful for any provider)

[moolen]

That's covered, i added that feature that when you added the field in the vault provider 🌞

external-secrets/pkg/provider/aws/parameterstore/parameterstore.go

Lines 76 to 82 in 56c69a1

	if ref.Path != nil {
	pathFilter = append(pathFilter, &ssm.ParameterStringFilter{
	Key: aws.String("Path"),
	Option: aws.String("Recursive"),
	Values: []*string{ref.Path},
	})
	}

[gusfcarvalho]

In this case @jacekpuczko if you try passing your main path in find.Path and use a general regexp, it might already filter out for you!

[jacekpuczko]

Hi @gusfcarvalho, I've just tried:

  dataFrom:
    - find:
        name:
          regexp: /service-name/.*$
        path: /service-name/

and it gives the same result with prefixes:

data:
  _service-name_PASSWORD1: cGFzc3dvcmQ=
  _service-name_PASSWORD2: cGFzc3dvcmQ=

Using the find.path without name.regex fails with an error.

[gusfcarvalho]

I guess the behavior is not the same as in vault provider, then. I’ll try to make a change for it and then we can see how it goes :)

[jacekpuczko]

Hi @moolen, thanks, using a capture group sounds convenient :)

[jacekpuczko]

Hi @gusfcarvalho, thanks, looking forward :)