migrate aws secretsmanager and aws parameter store to go sdk v2 (#4484)

* initial commit

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* some fixes

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* fix

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* make changes to private functions

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* auth

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* fix

* change fakses

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* satisfy interface

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* rename function calls

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* revert

* Migrate parameterstore to aws sdk v2

* fixes in tests

* Fix parameter store tests

* attempt to migrate auth

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* attempt to migrate auth

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* Partial Auth migration

* change token fetcher logic

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* migrate token fetch logic

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* nit

* migrate assumeroler

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* migrate auth_test

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* migrate auth_test

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* Wrap up auth & resolvers

* migrate ecr

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* migrate sts

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* migrate e2e

* migrate aws error

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* small change

* update go.mod

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* fix auth tests

* revert V1beta1 spec changes

* attempt to fix unit tests

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* use const for resourcenotfoundexception

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* lint

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* more lint fixes

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* more lint fixes

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* remove session cache in auth.go

* fix lint

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* fix lint

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* commit changes made to doc

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* Fix AWS provider tests for SDK v2 migration

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* check if there's a direct fake function to call in fake client

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* fix

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* address failing test

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* nit

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>

* go mod tidy

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* make check-diff

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* fixed the test

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* fix e2e test case configuration

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* session cache option is removed

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* using pointers instead

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* fix using the right name type for the tag parameter

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* refactor to remove the two complexity warnings

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* put the experimental flag back and mark it as deprecated

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

---------

Signed-off-by: SYSHIL <ilhan.syed@gmail.com>
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Co-authored-by: AkshithaRajavel <71207279+AkshithaRajavel@users.noreply.github.com>
Co-authored-by: AkshithaRajavel <2407akshi@gmail.com>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

apis/externalsecrets/v1/secretstore_aws_types.go

@@ -123,7 +123,7 @@ type AWSProvider struct {
 
 	// AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
 	// +optional
-	TransitiveTagKeys []*string `json:"transitiveTagKeys,omitempty"`
+	TransitiveTagKeys []string `json:"transitiveTagKeys,omitempty"`
 
 	// Prefix adds a prefix to all retrieved values.
 	// +optional

apis/externalsecrets/v1/zz_generated.deepcopy.go

@@ -118,14 +118,8 @@ func (in *AWSProvider) DeepCopyInto(out *AWSProvider) {
 	}
 	if in.TransitiveTagKeys != nil {
 		in, out := &in.TransitiveTagKeys, &out.TransitiveTagKeys
-		*out = make([]*string, len(*in))
-		for i := range *in {
-			if (*in)[i] != nil {
-				in, out := &(*in)[i], &(*out)[i]
-				*out = new(string)
-				**out = **in
-			}
-		}
+		*out = make([]string, len(*in))
+		copy(*out, *in)
 	}
 }
 

apis/externalsecrets/v1beta1/clusterexternalsecret_types.go

@@ -36,9 +36,7 @@ type ClusterExternalSecretSpec struct {
 	// +optional
 	ExternalSecretMetadata ExternalSecretMetadata `json:"externalSecretMetadata,omitempty"`
 
-	// The labels to select by to find the Namespaces to create the ExternalSecrets in.
-	// Deprecated: Use NamespaceSelectors instead.
-	// +optional
+	// The labels to select by to find the Namespaces to create the ExternalSecrets in
 	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
 
 	// A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.

apis/generators/v1alpha1/types_sts.go

@@ -22,9 +22,13 @@ import (
 type RequestParameters struct {
 	// SessionDuration The duration, in seconds, that the credentials should remain valid. Acceptable durations for
 	// IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds
-	// (12 hours) as the default.
+	// (12 hours) as the default. Sessions for
+	// Amazon Web Services account owners are restricted to a maximum of 3,600 seconds
+	// (one hour). If the duration is longer than one hour, the session for Amazon Web
+	// Services account owners defaults to one hour.
+
 	// +optional
-	SessionDuration *int64 `json:"sessionDuration,omitempty"`
+	SessionDuration *int32 `json:"sessionDuration,omitempty"`
 	// SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
 	// the GetSessionToken call.
 	// Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device

apis/generators/v1alpha1/zz_generated.deepcopy.go

@@ -1423,7 +1423,7 @@ func (in *RequestParameters) DeepCopyInto(out *RequestParameters) {
 	*out = *in
 	if in.SessionDuration != nil {
 		in, out := &in.SessionDuration, &out.SessionDuration
-		*out = new(int64)
+		*out = new(int32)
 		**out = **in
 	}
 	if in.SerialNumber != nil {

config/crds/bases/external-secrets.io_clusterexternalsecrets.yaml

@@ -1368,9 +1368,8 @@ spec:
                     type: object
                 type: object
               namespaceSelector:
-                description: |-
-                  The labels to select by to find the Namespaces to create the ExternalSecrets in.
-                  Deprecated: Use NamespaceSelectors instead.
+                description: The labels to select by to find the Namespaces to create
+                  the ExternalSecrets in
                 properties:
                   matchExpressions:
                     description: matchExpressions is a list of label selector requirements.

config/crds/bases/generators.external-secrets.io_clustergenerators.yaml

@@ -897,11 +897,7 @@ spec:
                               (such as arn:aws:iam::123456789012:mfa/user)
                             type: string
                           sessionDuration:
-                            description: |-
-                              SessionDuration The duration, in seconds, that the credentials should remain valid. Acceptable durations for
-                              IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds
-                              (12 hours) as the default.
-                            format: int64
+                            format: int32
                             type: integer
                           tokenCode:
                             description: TokenCode is the value provided by the MFA

config/crds/bases/generators.external-secrets.io_stssessiontokens.yaml

@@ -188,11 +188,7 @@ spec:
                       (such as arn:aws:iam::123456789012:mfa/user)
                     type: string
                   sessionDuration:
-                    description: |-
-                      SessionDuration The duration, in seconds, that the credentials should remain valid. Acceptable durations for
-                      IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds
-                      (12 hours) as the default.
-                    format: int64
+                    format: int32
                     type: integer
                   tokenCode:
                     description: TokenCode is the value provided by the MFA device,

deploy/crds/bundle.yaml

@@ -1299,9 +1299,7 @@ spec:
                       type: object
                   type: object
                 namespaceSelector:
-                  description: |-
-                    The labels to select by to find the Namespaces to create the ExternalSecrets in.
-                    Deprecated: Use NamespaceSelectors instead.
+                  description: The labels to select by to find the Namespaces to create the ExternalSecrets in
                   properties:
                     matchExpressions:
                       description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -21440,11 +21438,7 @@ spec:
                                 (such as arn:aws:iam::123456789012:mfa/user)
                               type: string
                             sessionDuration:
-                              description: |-
-                                SessionDuration The duration, in seconds, that the credentials should remain valid. Acceptable durations for
-                                IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds
-                                (12 hours) as the default.
-                              format: int64
+                              format: int32
                               type: integer
                             tokenCode:
                               description: TokenCode is the value provided by the MFA device, if MFA is required.
@@ -23660,11 +23654,7 @@ spec:
                         (such as arn:aws:iam::123456789012:mfa/user)
                       type: string
                     sessionDuration:
-                      description: |-
-                        SessionDuration The duration, in seconds, that the credentials should remain valid. Acceptable durations for
-                        IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds
-                        (12 hours) as the default.
-                      format: int64
+                      format: int32
                       type: integer
                     tokenCode:
                       description: TokenCode is the value provided by the MFA device, if MFA is required.

docs/api/controller-options.md

@@ -27,7 +27,7 @@ The core controller is invoked without a subcommand and can be configured with t
 | `--enable-flood-gate`                         | boolean  | true    | Enable flood gate. External secret will be reconciled only if the ClusterStore or Store have an healthy or unknown state.                                          |
 | `--enable-extended-metric-labels`             | boolean  | true    | Enable recommended kubernetes annotations as labels in metrics.                                                                                                    |
 | `--enable-leader-election`                    | boolean  | false   | Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.                                              |
-| `--experimental-enable-aws-session-cache`     | boolean  | false   | Enable experimental AWS session cache. External secret will reuse the AWS session without creating a new one on each request.                                      |
+| `--experimental-enable-aws-session-cache`     | boolean  | false   | DEPRECATED: this flag is no longer used and will be removed since aws sdk v2 has its own session cache.                                                            |
 | `--help`                                      |          |         | help for external-secrets                                                                                                                                          |
 | `--loglevel`                                  | string   | info    | loglevel to use, one of: debug, info, warn, error, dpanic, panic, fatal                                                                                            |
 | `--zap-time-encoding`                         | string   | epoch   | loglevel to use, one of: epoch, millis, nano, iso8601, rfc3339, rfc3339nano                                                                                        |

docs/api/spec.md

@@ -273,7 +273,7 @@ SecretsManager
 <td>
 <code>transitiveTagKeys</code></br>
 <em>
-[]*string
+[]string
 </em>
 </td>
 <td>

e2e/framework/addon/eso.go

@@ -82,10 +82,6 @@ func NewESO(mutators ...MutationFunc) *ESO {
 					Key:   "extraArgs.experimental-enable-vault-token-cache",
 					Value: "true",
 				},
-				{
-					Key:   "extraArgs.experimental-enable-aws-session-cache",
-					Value: "true",
-				},
 			},
 		},
 	}

e2e/framework/framework.go

@@ -107,6 +107,7 @@ func (f *Framework) Install(a addon.Addon) {
 }
 
 // Compose helps define multiple testcases with same/different auth methods.
+// This is a factory function that returns a TableEntry.
 func Compose(descAppend string, f *Framework, fn func(f *Framework) (string, func(*TestCase)), tweaks ...func(*TestCase)) TableEntry {
 	// prepend common fn to tweaks
 	desc, cfn := fn(f)

e2e/go.mod

@@ -48,7 +48,11 @@ require (
 	github.com/akeylesslabs/akeyless-go-cloud-id v0.3.5
 	github.com/akeylesslabs/akeyless-go/v3 v3.6.3
 	github.com/aliyun/alibaba-cloud-sdk-go v1.62.271
-	github.com/aws/aws-sdk-go v1.55.7
+	github.com/aws/aws-sdk-go-v2 v1.36.3
+	github.com/aws/aws-sdk-go-v2/config v1.29.14
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.67
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.35.2
+	github.com/aws/aws-sdk-go-v2/service/ssm v1.56.13
 	github.com/cyberark/conjur-api-go v0.12.15
 	github.com/external-secrets/external-secrets v0.0.0
 	github.com/fluxcd/helm-controller/api v0.37.2
@@ -97,6 +101,17 @@ require (
 	github.com/Masterminds/semver/v3 v3.3.1 // indirect
 	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
+	github.com/aws/aws-sdk-go v1.55.7 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect
+	github.com/aws/smithy-go v1.22.2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect

e2e/go.sum

@@ -128,6 +128,36 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:W
 github.com/aws/aws-sdk-go v1.41.13/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q=
 github.com/aws/aws-sdk-go v1.55.7 h1:UJrkFq7es5CShfBwlWAC8DA077vp8PyVbQd3lqLiztE=
 github.com/aws/aws-sdk-go v1.55.7/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
+github.com/aws/aws-sdk-go-v2 v1.36.3 h1:mJoei2CxPutQVxaATCzDUjcZEjVRdpsiiXi2o38yqWM=
+github.com/aws/aws-sdk-go-v2 v1.36.3/go.mod h1:LLXuLpgzEbD766Z5ECcRmi8AzSwfZItDtmABVkRLGzg=
+github.com/aws/aws-sdk-go-v2/config v1.29.14 h1:f+eEi/2cKCg9pqKBoAIwRGzVb70MRKqWX4dg1BDcSJM=
+github.com/aws/aws-sdk-go-v2/config v1.29.14/go.mod h1:wVPHWcIFv3WO89w0rE10gzf17ZYy+UVS1Geq8Iei34g=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.67 h1:9KxtdcIA/5xPNQyZRgUSpYOE6j9Bc4+D7nZua0KGYOM=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.67/go.mod h1:p3C44m+cfnbv763s52gCqrjaqyPikj9Sg47kUVaNZQQ=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 h1:x793wxmUWVDhshP8WW2mlnXuFrO4cOd3HLBroh1paFw=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30/go.mod h1:Jpne2tDnYiFascUEs2AWHJL9Yp7A5ZVy3TNyxaAjD6M=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 h1:ZK5jHhnrioRkUNOc+hOgQKlUL5JeC3S6JgLxtQ+Rm0Q=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34/go.mod h1:p4VfIceZokChbA9FzMbRGz5OV+lekcVtHlPKEO0gSZY=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 h1:SZwFm17ZUNNg5Np0ioo/gq8Mn6u9w19Mri8DnJ15Jf0=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34/go.mod h1:dFZsC0BLo346mvKQLWmoJxT+Sjp+qcVR1tRVHQGOH9Q=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 h1:eAh2A4b5IzM/lum78bZ590jy36+d/aFLgKF/4Vd1xPE=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3/go.mod h1:0yKJC/kb8sAnmlYa6Zs3QVYqaC8ug2AbnNChv5Ox3uA=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 h1:dM9/92u2F1JbDaGooxTq18wmmFzbJRfXfVfy96/1CXM=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15/go.mod h1:SwFBy2vjtA0vZbjjaFtfN045boopadnoVPhu4Fv66vY=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.35.2 h1:vlYXbindmagyVA3RS2SPd47eKZ00GZZQcr+etTviHtc=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.35.2/go.mod h1:yGhDiLKguA3iFJYxbrQkQiNzuy+ddxesSZYWVeeEH5Q=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.56.13 h1:JfPeW7F6Y+VqBg6p+8zQv4wlgceguYu5ZT0USEGZ89g=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.56.13/go.mod h1:EonGQFn66wZkJJrrKXrryrxoS3V30rcHvaWvc6oGHCI=
+github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 h1:1Gw+9ajCV1jogloEv1RRnvfRFia2cL6c9cuKV2Ps+G8=
+github.com/aws/aws-sdk-go-v2/service/sso v1.25.3/go.mod h1:qs4a9T5EMLl/Cajiw2TcbNt2UNo/Hqlyp+GiuG4CFDI=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 h1:hXmVKytPfTy5axZ+fYbR5d0cFmC3JvwLm5kM83luako=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1/go.mod h1:MlYRNmYu/fGPoxBQVvBYr9nyr948aY/WLUvwBMBJubs=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 h1:1XuUZ8mYJw9B6lzAkXhqHlJd/XvaX32evhproijJEZY=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.19/go.mod h1:cQnB8CUnxbMU82JvlqjKR2HBOm3fe9pWorWBza6MBJ4=
+github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ=
+github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1UJrqV3uuy861HCTo708pDMbjHHdCas=

e2e/suites/provider/cases/aws/parameterstore/provider.go

@@ -19,10 +19,11 @@ import (
 	"errors"
 	"os"
 
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/credentials"
-	"github.com/aws/aws-sdk-go/aws/session"
-	"github.com/aws/aws-sdk-go/service/ssm"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials"
+	"github.com/aws/aws-sdk-go-v2/service/ssm"
+	ssmtypes "github.com/aws/aws-sdk-go-v2/service/ssm/types"
 
 	//nolint
 	. "github.com/onsi/ginkgo/v2"
@@ -44,21 +45,18 @@ type Provider struct {
 	ServiceAccountNamespace string
 
 	region    string
-	client    *ssm.SSM
+	client    *ssm.Client
 	framework *framework.Framework
 }
 
 func NewProvider(f *framework.Framework, kid, sak, st, region, saName, saNamespace string) *Provider {
-	sess, err := session.NewSessionWithOptions(session.Options{
-		Config: aws.Config{
-			Credentials: credentials.NewStaticCredentials(kid, sak, st),
-			Region:      aws.String(region),
-		},
-	})
+
+	config, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region), config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(kid, sak, st)))
+
 	if err != nil {
 		Fail(err.Error())
 	}
-	sm := ssm.New(sess)
+	sm := ssm.NewFromConfig(config)
 	prov := &Provider{
 		ServiceAccountName:      saName,
 		ServiceAccountNamespace: saNamespace,
@@ -94,9 +92,9 @@ func NewFromEnv(f *framework.Framework) *Provider {
 
 // CreateSecret creates a secret at the provider.
 func (s *Provider) CreateSecret(key string, val framework.SecretEntry) {
-	pmTags := make([]*ssm.Tag, 0)
+	pmTags := make([]ssmtypes.Tag, 0)
 	for k, v := range val.Tags {
-		pmTags = append(pmTags, &ssm.Tag{
+		pmTags = append(pmTags, ssmtypes.Tag{
 			Key:   aws.String(k),
 			Value: aws.String(v),
 		})
@@ -107,11 +105,11 @@ func (s *Provider) CreateSecret(key string, val framework.SecretEntry) {
 	if len(val.Tags) == 0 {
 		overwrite = true
 	}
-	_, err := s.client.PutParameter(&ssm.PutParameterInput{
+	_, err := s.client.PutParameter(context.Background(), &ssm.PutParameterInput{
 		Name:      aws.String(key),
 		Value:     aws.String(val.Value),
 		DataType:  aws.String("text"),
-		Type:      aws.String("String"),
+		Type:      ssmtypes.ParameterTypeString,
 		Overwrite: aws.Bool(overwrite),
 		Tags:      pmTags,
 	})
@@ -120,10 +118,10 @@ func (s *Provider) CreateSecret(key string, val framework.SecretEntry) {
 
 // DeleteSecret deletes a secret at the provider.
 func (s *Provider) DeleteSecret(key string) {
-	_, err := s.client.DeleteParameter(&ssm.DeleteParameterInput{
+	_, err := s.client.DeleteParameter(context.Background(), &ssm.DeleteParameterInput{
 		Name: aws.String(key),
 	})
-	var nf *ssm.ParameterNotFound
+	var nf *ssmtypes.ParameterNotFound
 	if errors.As(err, &nf) {
 		return
 	}

e2e/suites/provider/cases/aws/secretsmanager/provider.go

@@ -20,11 +20,11 @@ import (
 	"os"
 	"time"
 
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/credentials"
-	"github.com/aws/aws-sdk-go/aws/session"
-	"github.com/aws/aws-sdk-go/service/secretsmanager"
-
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials"
+	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
+	secretsmanagertypes "github.com/aws/aws-sdk-go-v2/service/secretsmanager/types"
 	//nolint
 	. "github.com/onsi/ginkgo/v2"
 
@@ -45,21 +45,16 @@ type Provider struct {
 	ServiceAccountNamespace string
 
 	region    string
-	client    *secretsmanager.SecretsManager
+	client    *secretsmanager.Client
 	framework *framework.Framework
 }
 
 func NewProvider(f *framework.Framework, kid, sak, st, region, saName, saNamespace string) *Provider {
-	sess, err := session.NewSessionWithOptions(session.Options{
-		Config: aws.Config{
-			Credentials: credentials.NewStaticCredentials(kid, sak, st),
-			Region:      aws.String(region),
-		},
-	})
+	config, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region), config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(kid, sak, st)))
 	if err != nil {
 		Fail(err.Error())
 	}
-	sm := secretsmanager.New(sess)
+	sm := secretsmanager.NewFromConfig(config)
 	prov := &Provider{
 		ServiceAccountName:      saName,
 		ServiceAccountNamespace: saNamespace,
@@ -108,9 +103,9 @@ func NewFromEnv(f *framework.Framework) *Provider {
 
 // CreateSecret creates a secret at the provider.
 func (s *Provider) CreateSecret(key string, val framework.SecretEntry) {
-	smTags := make([]*secretsmanager.Tag, 0)
+	smTags := make([]secretsmanagertypes.Tag, 0)
 	for k, v := range val.Tags {
-		smTags = append(smTags, &secretsmanager.Tag{
+		smTags = append(smTags, secretsmanagertypes.Tag{
 			Key:   aws.String(k),
 			Value: aws.String(v),
 		})
@@ -122,7 +117,7 @@ func (s *Provider) CreateSecret(key string, val framework.SecretEntry) {
 	attempts := 20
 	for {
 		log.Logf("creating secret %s / attempts left: %d", key, attempts)
-		_, err := s.client.CreateSecret(&secretsmanager.CreateSecretInput{
+		_, err := s.client.CreateSecret(context.Background(), &secretsmanager.CreateSecretInput{
 			Name:         aws.String(key),
 			SecretString: aws.String(val.Value),
 			Tags:         smTags,
@@ -143,11 +138,11 @@ func (s *Provider) CreateSecret(key string, val framework.SecretEntry) {
 // and the removal of the secret on the provider side.
 func (s *Provider) DeleteSecret(key string) {
 	log.Logf("deleting secret %s", key)
-	_, err := s.client.DeleteSecret(&secretsmanager.DeleteSecretInput{
+	_, err := s.client.DeleteSecret(context.Background(), &secretsmanager.DeleteSecretInput{
 		SecretId:                   aws.String(key),
 		ForceDeleteWithoutRecovery: aws.Bool(true),
 	})
-	var nf *secretsmanager.ResourceNotFoundException
+	var nf *secretsmanagertypes.ResourceNotFoundException
 	if errors.As(err, &nf) {
 		return
 	}

go.mod

@@ -79,6 +79,15 @@ require (
 	github.com/alibabacloud-go/tea-utils/v2 v2.0.7
 	github.com/aliyun/credentials-go v1.4.6
 	github.com/avast/retry-go/v4 v4.6.1
+	github.com/aws/aws-sdk-go-v2 v1.36.3
+	github.com/aws/aws-sdk-go-v2/config v1.29.14
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.67
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.43.3
+	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.32.2
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.35.2
+	github.com/aws/aws-sdk-go-v2/service/ssm v1.56.13
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.19
+	github.com/aws/smithy-go v1.22.2
 	github.com/bradleyfalzon/ghinstallation/v2 v2.15.0
 	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/cloudru-tech/iam-sdk v1.0.4
@@ -129,6 +138,14 @@ require (
 	github.com/alibabacloud-go/endpoint-util v1.1.1 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect

go.sum

@@ -226,6 +226,40 @@ github.com/aws/aws-sdk-go v1.34.0/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU
 github.com/aws/aws-sdk-go v1.41.13/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q=
 github.com/aws/aws-sdk-go v1.55.7 h1:UJrkFq7es5CShfBwlWAC8DA077vp8PyVbQd3lqLiztE=
 github.com/aws/aws-sdk-go v1.55.7/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
+github.com/aws/aws-sdk-go-v2 v1.36.3 h1:mJoei2CxPutQVxaATCzDUjcZEjVRdpsiiXi2o38yqWM=
+github.com/aws/aws-sdk-go-v2 v1.36.3/go.mod h1:LLXuLpgzEbD766Z5ECcRmi8AzSwfZItDtmABVkRLGzg=
+github.com/aws/aws-sdk-go-v2/config v1.29.14 h1:f+eEi/2cKCg9pqKBoAIwRGzVb70MRKqWX4dg1BDcSJM=
+github.com/aws/aws-sdk-go-v2/config v1.29.14/go.mod h1:wVPHWcIFv3WO89w0rE10gzf17ZYy+UVS1Geq8Iei34g=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.67 h1:9KxtdcIA/5xPNQyZRgUSpYOE6j9Bc4+D7nZua0KGYOM=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.67/go.mod h1:p3C44m+cfnbv763s52gCqrjaqyPikj9Sg47kUVaNZQQ=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 h1:x793wxmUWVDhshP8WW2mlnXuFrO4cOd3HLBroh1paFw=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30/go.mod h1:Jpne2tDnYiFascUEs2AWHJL9Yp7A5ZVy3TNyxaAjD6M=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 h1:ZK5jHhnrioRkUNOc+hOgQKlUL5JeC3S6JgLxtQ+Rm0Q=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34/go.mod h1:p4VfIceZokChbA9FzMbRGz5OV+lekcVtHlPKEO0gSZY=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 h1:SZwFm17ZUNNg5Np0ioo/gq8Mn6u9w19Mri8DnJ15Jf0=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34/go.mod h1:dFZsC0BLo346mvKQLWmoJxT+Sjp+qcVR1tRVHQGOH9Q=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
+github.com/aws/aws-sdk-go-v2/service/ecr v1.43.3 h1:YyH8Hk73bYzdbvf6S8NF5z/fb/1stpiMnFSfL6jSfRA=
+github.com/aws/aws-sdk-go-v2/service/ecr v1.43.3/go.mod h1:iQ1skgw1XRK+6Lgkb0I9ODatAP72WoTILh0zXQ5DtbU=
+github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.32.2 h1:aKT7DQn1Nvlr5QNL03/gdYr0m7FarLS9CkNCUfyFRFI=
+github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.32.2/go.mod h1:RZL7ov7c72wSmoM8bIiVxRHgcVdzhNkVW2J36C8RF4s=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 h1:eAh2A4b5IzM/lum78bZ590jy36+d/aFLgKF/4Vd1xPE=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3/go.mod h1:0yKJC/kb8sAnmlYa6Zs3QVYqaC8ug2AbnNChv5Ox3uA=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 h1:dM9/92u2F1JbDaGooxTq18wmmFzbJRfXfVfy96/1CXM=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15/go.mod h1:SwFBy2vjtA0vZbjjaFtfN045boopadnoVPhu4Fv66vY=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.35.2 h1:vlYXbindmagyVA3RS2SPd47eKZ00GZZQcr+etTviHtc=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.35.2/go.mod h1:yGhDiLKguA3iFJYxbrQkQiNzuy+ddxesSZYWVeeEH5Q=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.56.13 h1:JfPeW7F6Y+VqBg6p+8zQv4wlgceguYu5ZT0USEGZ89g=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.56.13/go.mod h1:EonGQFn66wZkJJrrKXrryrxoS3V30rcHvaWvc6oGHCI=
+github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 h1:1Gw+9ajCV1jogloEv1RRnvfRFia2cL6c9cuKV2Ps+G8=
+github.com/aws/aws-sdk-go-v2/service/sso v1.25.3/go.mod h1:qs4a9T5EMLl/Cajiw2TcbNt2UNo/Hqlyp+GiuG4CFDI=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 h1:hXmVKytPfTy5axZ+fYbR5d0cFmC3JvwLm5kM83luako=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1/go.mod h1:MlYRNmYu/fGPoxBQVvBYr9nyr948aY/WLUvwBMBJubs=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 h1:1XuUZ8mYJw9B6lzAkXhqHlJd/XvaX32evhproijJEZY=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.19/go.mod h1:cQnB8CUnxbMU82JvlqjKR2HBOm3fe9pWorWBza6MBJ4=
+github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ=
+github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=

pkg/generator/ecr/ecr.go

@@ -22,11 +22,9 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/aws/aws-sdk-go/aws/session"
-	"github.com/aws/aws-sdk-go/service/ecr"
-	"github.com/aws/aws-sdk-go/service/ecr/ecriface"
-	"github.com/aws/aws-sdk-go/service/ecrpublic"
-	"github.com/aws/aws-sdk-go/service/ecrpublic/ecrpubliciface"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/ecr"
+	"github.com/aws/aws-sdk-go-v2/service/ecrpublic"
 	apiextensions "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
@@ -36,6 +34,14 @@ import (
 	awsauth "github.com/external-secrets/external-secrets/pkg/provider/aws/auth"
 )
 
+type ecrAPI interface {
+	GetAuthorizationToken(ctx context.Context, params *ecr.GetAuthorizationTokenInput, optFuncs ...func(*ecr.Options)) (*ecr.GetAuthorizationTokenOutput, error)
+}
+
+type ecrPublicAPI interface {
+	GetAuthorizationToken(ctx context.Context, params *ecrpublic.GetAuthorizationTokenInput, optFuncs ...func(*ecrpublic.Options)) (*ecrpublic.GetAuthorizationTokenOutput, error)
+}
+
 type Generator struct{}
 
 const (
@@ -69,7 +75,7 @@ func (g *Generator) generate(
 	if err != nil {
 		return nil, nil, fmt.Errorf(errParseSpec, err)
 	}
-	sess, err := awsauth.NewGeneratorSession(
+	cfg, err := awsauth.NewGeneratorSession(
 		ctx,
 		esv1.AWSAuth{
 			SecretRef: (*esv1.AWSAuthSecretRef)(res.Spec.Auth.SecretRef),
@@ -86,15 +92,15 @@ func (g *Generator) generate(
 	}
 
 	if res.Spec.Scope == "public" {
-		return fetchECRPublicToken(sess, ecrPublicFunc)
+		return fetchECRPublicToken(ctx, cfg, ecrPublicFunc)
 	}
 
-	return fetchECRPrivateToken(sess, ecrPrivateFunc)
+	return fetchECRPrivateToken(ctx, cfg, ecrPrivateFunc)
 }
 
-func fetchECRPrivateToken(sess *session.Session, ecrPrivateFunc ecrPrivateFactoryFunc) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
-	client := ecrPrivateFunc(sess)
-	out, err := client.GetAuthorizationToken(&ecr.GetAuthorizationTokenInput{})
+func fetchECRPrivateToken(ctx context.Context, cfg *aws.Config, ecrPrivateFunc ecrPrivateFactoryFunc) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
+	client := ecrPrivateFunc(cfg)
+	out, err := client.GetAuthorizationToken(ctx, &ecr.GetAuthorizationTokenInput{})
 	if err != nil {
 		return nil, nil, fmt.Errorf(errGetPrivateToken, err)
 	}
@@ -121,9 +127,9 @@ func fetchECRPrivateToken(sess *session.Session, ecrPrivateFunc ecrPrivateFactor
 	}, nil, nil
 }
 
-func fetchECRPublicToken(sess *session.Session, ecrPublicFunc ecrPublicFactoryFunc) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
-	client := ecrPublicFunc(sess)
-	out, err := client.GetAuthorizationToken(&ecrpublic.GetAuthorizationTokenInput{})
+func fetchECRPublicToken(ctx context.Context, cfg *aws.Config, ecrPublicFunc ecrPublicFactoryFunc) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
+	client := ecrPublicFunc(cfg)
+	out, err := client.GetAuthorizationToken(ctx, &ecrpublic.GetAuthorizationTokenInput{})
 	if err != nil {
 		return nil, nil, fmt.Errorf(errGetPublicToken, err)
 	}
@@ -145,15 +151,15 @@ func fetchECRPublicToken(sess *session.Session, ecrPublicFunc ecrPublicFactoryFu
 	}, nil, nil
 }
 
-type ecrPrivateFactoryFunc func(aws *session.Session) ecriface.ECRAPI
-type ecrPublicFactoryFunc func(aws *session.Session) ecrpubliciface.ECRPublicAPI
+type ecrPrivateFactoryFunc func(aws *aws.Config) ecrAPI
+type ecrPublicFactoryFunc func(aws *aws.Config) ecrPublicAPI
 
-func ecrPrivateFactory(aws *session.Session) ecriface.ECRAPI {
-	return ecr.New(aws)
+func ecrPrivateFactory(cfg *aws.Config) ecrAPI {
+	return ecr.NewFromConfig(*cfg)
 }
 
-func ecrPublicFactory(aws *session.Session) ecrpubliciface.ECRPublicAPI {
-	return ecrpublic.New(aws)
+func ecrPublicFactory(cfg *aws.Config) ecrPublicAPI {
+	return ecrpublic.NewFromConfig(*cfg)
 }
 
 func parseSpec(data []byte) (*genv1alpha1.ECRAuthorizationToken, error) {

pkg/generator/ecr/ecr_test.go

@@ -22,11 +22,11 @@ import (
 	"testing"
 	"time"
 
-	"github.com/aws/aws-sdk-go/aws/session"
-	"github.com/aws/aws-sdk-go/service/ecr"
-	"github.com/aws/aws-sdk-go/service/ecr/ecriface"
-	"github.com/aws/aws-sdk-go/service/ecrpublic"
-	"github.com/aws/aws-sdk-go/service/ecrpublic/ecrpubliciface"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/ecr"
+	ecrtypes "github.com/aws/aws-sdk-go-v2/service/ecr/types"
+	"github.com/aws/aws-sdk-go-v2/service/ecrpublic"
+	ecrpublictypes "github.com/aws/aws-sdk-go-v2/service/ecrpublic/types"
 	v1 "k8s.io/api/core/v1"
 	apiextensions "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -87,7 +87,7 @@ func TestGenerate(t *testing.T) {
 				authTokenPrivateFunc: func(in *ecr.GetAuthorizationTokenInput) (*ecr.GetAuthorizationTokenOutput, error) {
 					t := time.Unix(1234, 0)
 					return &ecr.GetAuthorizationTokenOutput{
-						AuthorizationData: []*ecr.AuthorizationData{
+						AuthorizationData: []ecrtypes.AuthorizationData{
 							{
 								AuthorizationToken: utilpointer.To(base64.StdEncoding.EncodeToString([]byte("uuser:pass"))),
 								ProxyEndpoint:      utilpointer.To("foo"),
@@ -127,7 +127,7 @@ spec:
 				authTokenPublicFunc: func(in *ecrpublic.GetAuthorizationTokenInput) (*ecrpublic.GetAuthorizationTokenOutput, error) {
 					t := time.Unix(5678, 0)
 					return &ecrpublic.GetAuthorizationTokenOutput{
-						AuthorizationData: &ecrpublic.AuthorizationData{
+						AuthorizationData: &ecrpublictypes.AuthorizationData{
 							AuthorizationToken: utilpointer.To(base64.StdEncoding.EncodeToString([]byte("pubuser:pubpass"))),
 							ExpiresAt:          &t,
 						},
@@ -157,12 +157,12 @@ spec:
 				tt.args.jsonSpec,
 				tt.args.kube,
 				tt.args.namespace,
-				func(aws *session.Session) ecriface.ECRAPI {
+				func(cfg *aws.Config) ecrAPI {
 					return &FakeECRPrivate{
 						authTokenFunc: tt.args.authTokenPrivateFunc,
 					}
 				},
-				func(aws *session.Session) ecrpubliciface.ECRPublicAPI {
+				func(cfg *aws.Config) ecrPublicAPI {
 					return &FakeECRPublic{
 						authTokenFunc: tt.args.authTokenPublicFunc,
 					}
@@ -180,19 +180,17 @@ spec:
 }
 
 type FakeECRPrivate struct {
-	ecriface.ECRAPI
 	authTokenFunc func(*ecr.GetAuthorizationTokenInput) (*ecr.GetAuthorizationTokenOutput, error)
 }
 
-func (e *FakeECRPrivate) GetAuthorizationToken(in *ecr.GetAuthorizationTokenInput) (*ecr.GetAuthorizationTokenOutput, error) {
-	return e.authTokenFunc(in)
+func (e *FakeECRPrivate) GetAuthorizationToken(ctx context.Context, params *ecr.GetAuthorizationTokenInput, optFns ...func(*ecr.Options)) (*ecr.GetAuthorizationTokenOutput, error) {
+	return e.authTokenFunc(params)
 }
 
 type FakeECRPublic struct {
-	ecrpubliciface.ECRPublicAPI
 	authTokenFunc func(*ecrpublic.GetAuthorizationTokenInput) (*ecrpublic.GetAuthorizationTokenOutput, error)
 }
 
-func (e *FakeECRPublic) GetAuthorizationToken(in *ecrpublic.GetAuthorizationTokenInput) (*ecrpublic.GetAuthorizationTokenOutput, error) {
-	return e.authTokenFunc(in)
+func (e *FakeECRPublic) GetAuthorizationToken(ctx context.Context, params *ecrpublic.GetAuthorizationTokenInput, optFns ...func(*ecrpublic.Options)) (*ecrpublic.GetAuthorizationTokenOutput, error) {
+	return e.authTokenFunc(params)
 }

pkg/generator/sts/sts.go

@@ -20,9 +20,8 @@ import (
 	"fmt"
 	"strconv"
 
-	"github.com/aws/aws-sdk-go/aws/session"
-	"github.com/aws/aws-sdk-go/service/sts"
-	"github.com/aws/aws-sdk-go/service/sts/stsiface"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
 	apiextensions "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
@@ -32,6 +31,11 @@ import (
 	awsauth "github.com/external-secrets/external-secrets/pkg/provider/aws/auth"
 )
 
+// stsAPI defines the methods needed for the STS generator.
+type stsAPI interface {
+	GetSessionToken(ctx context.Context, params *sts.GetSessionTokenInput, optFns ...func(*sts.Options)) (*sts.GetSessionTokenOutput, error)
+}
+
 type Generator struct{}
 
 const (
@@ -59,7 +63,7 @@ func (g *Generator) generate(
 	if err != nil {
 		return nil, nil, fmt.Errorf(errParseSpec, err)
 	}
-	sess, err := awsauth.NewGeneratorSession(
+	cfg, err := awsauth.NewGeneratorSession(
 		ctx,
 		esv1.AWSAuth{
 			SecretRef: (*esv1.AWSAuthSecretRef)(res.Spec.Auth.SecretRef),
@@ -74,14 +78,14 @@ func (g *Generator) generate(
 	if err != nil {
 		return nil, nil, fmt.Errorf(errCreateSess, err)
 	}
-	client := stsFunc(sess)
+	client := stsFunc(cfg)
 	input := &sts.GetSessionTokenInput{}
 	if res.Spec.RequestParameters != nil {
 		input.DurationSeconds = res.Spec.RequestParameters.SessionDuration
 		input.TokenCode = res.Spec.RequestParameters.TokenCode
 		input.SerialNumber = res.Spec.RequestParameters.SerialNumber
 	}
-	out, err := client.GetSessionToken(input)
+	out, err := client.GetSessionToken(ctx, input)
 	if err != nil {
 		return nil, nil, fmt.Errorf(errGetToken, err)
 	}
@@ -101,10 +105,10 @@ func (g *Generator) Cleanup(_ context.Context, jsonSpec *apiextensions.JSON, sta
 	return nil
 }
 
-type stsFactoryFunc func(aws *session.Session) stsiface.STSAPI
+type stsFactoryFunc func(cfg *aws.Config) stsAPI
 
-func stsFactory(aws *session.Session) stsiface.STSAPI {
-	return sts.New(aws)
+func stsFactory(cfg *aws.Config) stsAPI {
+	return sts.NewFromConfig(*cfg)
 }
 
 func parseSpec(data []byte) (*genv1alpha1.STSSessionToken, error) {

pkg/generator/sts/sts_test.go

@@ -21,9 +21,9 @@ import (
 	"testing"
 	"time"
 
-	"github.com/aws/aws-sdk-go/aws/session"
-	"github.com/aws/aws-sdk-go/service/sts"
-	"github.com/aws/aws-sdk-go/service/sts/stsiface"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
+	ststypes "github.com/aws/aws-sdk-go-v2/service/sts/types"
 	v1 "k8s.io/api/core/v1"
 	apiextensions "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -39,7 +39,7 @@ func TestGenerate(t *testing.T) {
 		jsonSpec  *apiextensions.JSON
 		kube      client.Client
 		namespace string
-		tokenFunc func(*sts.GetSessionTokenInput) (*sts.GetSessionTokenOutput, error)
+		tokenFunc func(context.Context, *sts.GetSessionTokenInput, ...func(*sts.Options)) (*sts.GetSessionTokenOutput, error)
 	}
 	tests := []struct {
 		name    string
@@ -58,7 +58,7 @@ func TestGenerate(t *testing.T) {
 		{
 			name: "invalid json",
 			args: args{
-				tokenFunc: func(*sts.GetSessionTokenInput) (*sts.GetSessionTokenOutput, error) {
+				tokenFunc: func(ctx context.Context, input *sts.GetSessionTokenInput, optFns ...func(*sts.Options)) (*sts.GetSessionTokenOutput, error) {
 					return nil, errors.New("boom")
 				},
 				jsonSpec: &apiextensions.JSON{
@@ -81,10 +81,10 @@ func TestGenerate(t *testing.T) {
 						"access-secret": []byte("bar"),
 					},
 				}).Build(),
-				tokenFunc: func(*sts.GetSessionTokenInput) (*sts.GetSessionTokenOutput, error) {
+				tokenFunc: func(ctx context.Context, input *sts.GetSessionTokenInput, optFns ...func(*sts.Options)) (*sts.GetSessionTokenOutput, error) {
 					t := time.Unix(1234, 0)
 					return &sts.GetSessionTokenOutput{
-						Credentials: &sts.Credentials{
+						Credentials: &ststypes.Credentials{
 							AccessKeyId:     utils.Ptr("access-key-id"),
 							Expiration:      utils.Ptr(t),
 							SecretAccessKey: utils.Ptr("secret-access-key"),
@@ -124,7 +124,7 @@ spec:
 				tt.args.jsonSpec,
 				tt.args.kube,
 				tt.args.namespace,
-				func(aws *session.Session) stsiface.STSAPI {
+				func(cfg *aws.Config) stsAPI {
 					return &FakeSTS{
 						getSessionToken: tt.args.tokenFunc,
 					}
@@ -142,10 +142,9 @@ spec:
 }
 
 type FakeSTS struct {
-	stsiface.STSAPI
-	getSessionToken func(*sts.GetSessionTokenInput) (*sts.GetSessionTokenOutput, error)
+	getSessionToken func(context.Context, *sts.GetSessionTokenInput, ...func(*sts.Options)) (*sts.GetSessionTokenOutput, error)
 }
 
-func (e *FakeSTS) GetSessionToken(in *sts.GetSessionTokenInput) (*sts.GetSessionTokenOutput, error) {
-	return e.getSessionToken(in)
+func (e *FakeSTS) GetSessionToken(ctx context.Context, params *sts.GetSessionTokenInput, optFns ...func(*sts.Options)) (*sts.GetSessionTokenOutput, error) {
+	return e.getSessionToken(ctx, params, optFns...)
 }

pkg/provider/aws/auth/auth.go

@@ -18,14 +18,12 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/credentials"
-	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
-	"github.com/aws/aws-sdk-go/aws/defaults"
-	"github.com/aws/aws-sdk-go/aws/request"
-	"github.com/aws/aws-sdk-go/aws/session"
-	"github.com/aws/aws-sdk-go/service/sts"
-	"github.com/aws/aws-sdk-go/service/sts/stsiface"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials"
+	"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
+	stsTypes "github.com/aws/aws-sdk-go-v2/service/sts/types"
 	"github.com/spf13/pflag"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -35,7 +33,6 @@ import (
 	ctrlcfg "sigs.k8s.io/controller-runtime/pkg/client/config"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
-	"github.com/external-secrets/external-secrets/pkg/cache"
 	"github.com/external-secrets/external-secrets/pkg/feature"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
 	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
@@ -51,7 +48,6 @@ type Config struct {
 var (
 	log                = ctrl.Log.WithName("provider").WithName("aws")
 	enableSessionCache bool
-	sessionCache       *cache.Cache[*session.Session]
 )
 
 const (
@@ -66,93 +62,108 @@ const (
 
 func init() {
 	fs := pflag.NewFlagSet("aws-auth", pflag.ExitOnError)
-	fs.BoolVar(&enableSessionCache, "experimental-enable-aws-session-cache", false, "Enable experimental AWS session cache. External secret will reuse the AWS session without creating a new one on each request.")
+	fs.BoolVar(&enableSessionCache, "experimental-enable-aws-session-cache", false, "DEPRECATED: this flag is no longer used and will be removed since aws sdk v2 has its own session cache.")
 	feature.Register(feature.Feature{
 		Flags: fs,
 	})
-	sessionCache = cache.Must[*session.Session](1024, nil)
 }
 
-// New creates a new aws session based on the provided store
+// Opts define options for New function.
+type Opts struct {
+	Store       esv1.GenericStore
+	Kube        client.Client
+	Namespace   string
+	AssumeRoler STSProvider
+	JWTProvider jwtProviderFactory
+}
+
+// New creates a new aws config based on the provided store
 // it uses the following authentication mechanisms in order:
 // * service-account token authentication via AssumeRoleWithWebIdentity
 // * static credentials from a Kind=Secret, optionally with doing a AssumeRole.
 // * sdk default provider chain, see: https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default
-func New(ctx context.Context, store esv1.GenericStore, kube client.Client, namespace string, assumeRoler STSProvider, jwtProvider jwtProviderFactory) (*session.Session, error) {
-	prov, err := util.GetAWSProvider(store)
+func New(ctx context.Context, opts Opts) (*aws.Config, error) {
+	prov, err := util.GetAWSProvider(opts.Store)
 	if err != nil {
 		return nil, err
 	}
-	var creds *credentials.Credentials
-	isClusterKind := store.GetObjectKind().GroupVersionKind().Kind == esv1.ClusterSecretStoreKind
-
-	// use credentials via service account token
-	jwtAuth := prov.Auth.JWTAuth
-	if jwtAuth != nil {
-		creds, err = credsFromServiceAccount(ctx, prov.Auth, prov.Region, isClusterKind, kube, namespace, jwtProvider)
-		if err != nil {
-			return nil, err
-		}
-	}
+	var credsProvider aws.CredentialsProvider
+	isClusterKind := opts.Store.GetObjectKind().GroupVersionKind().Kind == esv1.ClusterSecretStoreKind
 
-	// use credentials from secretRef
-	secretRef := prov.Auth.SecretRef
-	if secretRef != nil {
-		log.V(1).Info("using credentials from secretRef")
-		creds, err = credsFromSecretRef(ctx, prov.Auth, store.GetKind(), kube, namespace)
-		if err != nil {
-			return nil, err
-		}
+	credsProvider, err = constructCredsProvider(ctx, prov, isClusterKind, opts)
+	if err != nil {
+		return nil, err
 	}
 
-	config := aws.NewConfig().WithEndpointResolver(ResolveEndpoint())
-	if creds != nil {
-		config.WithCredentials(creds)
+	// global endpoint resolver is deprecated, should we EndpointResolverV2 field on service client options
+	var loadCfgOpts []func(*config.LoadOptions) error
+	if credsProvider != nil {
+		loadCfgOpts = append(loadCfgOpts, config.WithCredentialsProvider(credsProvider))
 	}
 	if prov.Region != "" {
-		config.WithRegion(prov.Region)
+		loadCfgOpts = append(loadCfgOpts, config.WithRegion(prov.Region))
 	}
 
-	sess, err := getAWSSession(config, enableSessionCache, store.GetName(), store.GetTypeMeta().Kind, namespace, store.GetObjectMeta().ResourceVersion)
+	return createConfiguration(prov, opts.AssumeRoler, loadCfgOpts)
+}
+
+func createConfiguration(prov *esv1.AWSProvider, assumeRoler STSProvider, loadCfgOpts []func(*config.LoadOptions) error) (*aws.Config, error) {
+	cfg, err := config.LoadDefaultConfig(context.TODO(), loadCfgOpts...)
 	if err != nil {
 		return nil, err
 	}
 
 	for _, aRole := range prov.AdditionalRoles {
-		stsclient := assumeRoler(sess)
-		sess.Config.WithCredentials(stscreds.NewCredentialsWithClient(stsclient, aRole))
+		stsclient := assumeRoler(cfg)
+		cfg.Credentials = stscreds.NewAssumeRoleProvider(stsclient, aRole)
 	}
 
 	sessExtID := prov.ExternalID
 	sessTransitiveTagKeys := prov.TransitiveTagKeys
-	sessTags := make([]*sts.Tag, len(prov.SessionTags))
+	sessTags := make([]stsTypes.Tag, len(prov.SessionTags))
 	for i, tag := range prov.SessionTags {
-		sessTags[i] = &sts.Tag{
+		sessTags[i] = stsTypes.Tag{
 			Key:   aws.String(tag.Key),
 			Value: aws.String(tag.Value),
 		}
 	}
 	if prov.Role != "" {
-		stsclient := assumeRoler(sess)
+		stsclient := assumeRoler(cfg)
 		if sessExtID != "" || sessTags != nil {
-			var setAssumeRoleOptions = func(p *stscreds.AssumeRoleProvider) {
-				if sessExtID != "" {
-					p.ExternalID = aws.String(sessExtID)
-				}
-				if sessTags != nil {
-					p.Tags = sessTags
-					if len(sessTransitiveTagKeys) > 0 {
-						p.TransitiveTagKeys = sessTransitiveTagKeys
-					}
-				}
-			}
-			sess.Config.WithCredentials(stscreds.NewCredentialsWithClient(stsclient, prov.Role, setAssumeRoleOptions))
+			cfg.Credentials = stscreds.NewAssumeRoleProvider(stsclient, prov.Role, setAssumeRoleOptionFn(sessExtID, sessTags, sessTransitiveTagKeys))
 		} else {
-			sess.Config.WithCredentials(stscreds.NewCredentialsWithClient(stsclient, prov.Role))
+			cfg.Credentials = stscreds.NewAssumeRoleProvider(stsclient, prov.Role)
+		}
+	}
+	log.Info("using aws config", "region", cfg.Region, "external id", sessExtID, "credentials", cfg.Credentials)
+
+	return &cfg, nil
+}
+
+func setAssumeRoleOptionFn(sessExtID string, sessTags []stsTypes.Tag, sessTransitiveTagKeys []string) func(p *stscreds.AssumeRoleOptions) {
+	return func(p *stscreds.AssumeRoleOptions) {
+		if sessExtID != "" {
+			p.ExternalID = aws.String(sessExtID)
 		}
+		if sessTags != nil {
+			p.Tags = sessTags
+			if len(sessTransitiveTagKeys) > 0 {
+				p.TransitiveTagKeys = sessTransitiveTagKeys
+			}
+		}
+	}
+}
+
+func constructCredsProvider(ctx context.Context, prov *esv1.AWSProvider, isClusterKind bool, opts Opts) (aws.CredentialsProvider, error) {
+	switch {
+	case prov.Auth.JWTAuth != nil:
+		return credsFromServiceAccount(ctx, prov.Auth, prov.Region, isClusterKind, opts.Kube, opts.Namespace, opts.JWTProvider)
+	case prov.Auth.SecretRef != nil:
+		log.V(1).Info("using credentials from secretRef")
+		return credsFromSecretRef(ctx, prov.Auth, opts.Store.GetKind(), opts.Kube, opts.Namespace)
+	default:
+		return nil, nil
 	}
-	log.Info("using aws session", "region", *sess.Config.Region, "external id", sessExtID, "credentials", creds)
-	return sess, nil
 }
 
 // NewGeneratorSession creates a new aws session based on the provided store
@@ -160,14 +171,16 @@ func New(ctx context.Context, store esv1.GenericStore, kube client.Client, names
 // * service-account token authentication via AssumeRoleWithWebIdentity
 // * static credentials from a Kind=Secret, optionally with doing a AssumeRole.
 // * sdk default provider chain, see: https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default
-func NewGeneratorSession(ctx context.Context, auth esv1.AWSAuth, role, region string, kube client.Client, namespace string, assumeRoler STSProvider, jwtProvider jwtProviderFactory) (*session.Session, error) {
-	var creds *credentials.Credentials
-	var err error
+func NewGeneratorSession(ctx context.Context, auth esv1.AWSAuth, role, region string, kube client.Client, namespace string, assumeRoler STSProvider, jwtProvider jwtProviderFactory) (*aws.Config, error) {
+	var (
+		credsProvider aws.CredentialsProvider
+		err           error
+	)
 
 	// use credentials via service account token
 	jwtAuth := auth.JWTAuth
 	if jwtAuth != nil {
-		creds, err = credsFromServiceAccount(ctx, auth, region, false, kube, namespace, jwtProvider)
+		credsProvider, err = credsFromServiceAccount(ctx, auth, region, false, kube, namespace, jwtProvider)
 		if err != nil {
 			return nil, err
 		}
@@ -177,38 +190,33 @@ func NewGeneratorSession(ctx context.Context, auth esv1.AWSAuth, role, region st
 	secretRef := auth.SecretRef
 	if secretRef != nil {
 		log.V(1).Info("using credentials from secretRef")
-		creds, err = credsFromSecretRef(ctx, auth, "", kube, namespace)
+		credsProvider, err = credsFromSecretRef(ctx, auth, "", kube, namespace)
 		if err != nil {
 			return nil, err
 		}
 	}
 
-	config := aws.NewConfig().WithEndpointResolver(ResolveEndpoint())
-	if creds != nil {
-		config.WithCredentials(creds)
+	config := aws.NewConfig()
+	if credsProvider != nil {
+		config.Credentials = credsProvider
 	}
 	if region != "" {
-		config.WithRegion(region)
-	}
-
-	sess, err := getAWSSession(config, false, "", "", "", "")
-	if err != nil {
-		return nil, err
+		config.Region = region
 	}
 
 	if role != "" {
-		stsclient := assumeRoler(sess)
-		sess.Config.WithCredentials(stscreds.NewCredentialsWithClient(stsclient, role))
+		stsclient := assumeRoler(*config)
+		config.Credentials = stscreds.NewAssumeRoleProvider(stsclient, role)
 	}
-	log.Info("using aws session", "region", *sess.Config.Region, "credentials", creds)
-	return sess, nil
+	log.Info("using aws config", "region", config.Region, "credentials", config.Credentials)
+	return config, nil
 }
 
 // credsFromSecretRef pulls access-key / secret-access-key from a secretRef to
 // construct a aws.Credentials object
 // The namespace of the external secret is used if the ClusterSecretStore does not specify a namespace (referentAuth)
 // If the ClusterSecretStore defines a namespace it will take precedence.
-func credsFromSecretRef(ctx context.Context, auth esv1.AWSAuth, storeKind string, kube client.Client, namespace string) (*credentials.Credentials, error) {
+func credsFromSecretRef(ctx context.Context, auth esv1.AWSAuth, storeKind string, kube client.Client, namespace string) (aws.CredentialsProvider, error) {
 	sak, err := resolvers.SecretKeyRef(ctx, kube, storeKind, namespace, &auth.SecretRef.SecretAccessKey)
 	if err != nil {
 		return nil, fmt.Errorf(errFetchSAKSecret, err)
@@ -225,8 +233,9 @@ func credsFromSecretRef(ctx context.Context, auth esv1.AWSAuth, storeKind string
 			return nil, fmt.Errorf(errFetchSTSecret, err)
 		}
 	}
+	var credsProvider aws.CredentialsProvider = credentials.NewStaticCredentialsProvider(aks, sak, sessionToken)
 
-	return credentials.NewStaticCredentials(aks, sak, sessionToken), err
+	return credsProvider, nil
 }
 
 // credsFromServiceAccount uses a Kubernetes Service Account to acquire temporary
@@ -234,7 +243,7 @@ func credsFromSecretRef(ctx context.Context, auth esv1.AWSAuth, storeKind string
 // in the ServiceAccount annotation.
 // If the ClusterSecretStore does not define a namespace it will use the namespace from the ExternalSecret (referentAuth).
 // If the ClusterSecretStore defines the namespace it will take precedence.
-func credsFromServiceAccount(ctx context.Context, auth esv1.AWSAuth, region string, isClusterKind bool, kube client.Client, namespace string, jwtProvider jwtProviderFactory) (*credentials.Credentials, error) {
+func credsFromServiceAccount(ctx context.Context, auth esv1.AWSAuth, region string, isClusterKind bool, kube client.Client, namespace string, jwtProvider jwtProviderFactory) (aws.CredentialsProvider, error) {
 	name := auth.JWTAuth.ServiceAccountRef.Name
 	if isClusterKind && auth.JWTAuth.ServiceAccountRef.Namespace != nil {
 		namespace = *auth.JWTAuth.ServiceAccountRef.Namespace
@@ -269,15 +278,16 @@ func credsFromServiceAccount(ctx context.Context, auth esv1.AWSAuth, region stri
 	}
 
 	log.V(1).Info("using credentials via service account", "role", roleArn, "region", region)
-	return credentials.NewCredentials(jwtProv), nil
+
+	return jwtProv, nil
 }
 
-type jwtProviderFactory func(name, namespace, roleArn string, aud []string, region string) (credentials.Provider, error)
+type jwtProviderFactory func(name, namespace, roleArn string, aud []string, region string) (aws.CredentialsProvider, error)
 
 // DefaultJWTProvider returns a credentials.Provider that calls the AssumeRoleWithWebidentity
 // controller-runtime/client does not support TokenRequest or other subresource APIs
 // so we need to construct our own client and use it to fetch tokens.
-func DefaultJWTProvider(name, namespace, roleArn string, aud []string, region string) (credentials.Provider, error) {
+func DefaultJWTProvider(name, namespace, roleArn string, aud []string, region string) (aws.CredentialsProvider, error) {
 	cfg, err := ctrlcfg.GetConfig()
 	if err != nil {
 		return nil, err
@@ -286,66 +296,43 @@ func DefaultJWTProvider(name, namespace, roleArn string, aud []string, region st
 	if err != nil {
 		return nil, err
 	}
-	handlers := defaults.Handlers()
-	handlers.Build.PushBack(request.WithAppendUserAgent("external-secrets"))
-	awscfg := aws.NewConfig().WithEndpointResolver(ResolveEndpoint())
-	if region != "" {
-		awscfg.WithRegion(region)
-	}
-	sess, err := session.NewSessionWithOptions(session.Options{
-		Config:            *awscfg,
-		SharedConfigState: session.SharedConfigDisable,
-		Handlers:          handlers,
-	})
+
+	awscfg, err := config.LoadDefaultConfig(context.TODO(), config.WithAppID("external-secrets"), // Disable shared config files:
+		config.WithSharedConfigFiles([]string{}),
+		config.WithSharedCredentialsFiles([]string{}))
+
 	if err != nil {
 		return nil, err
 	}
-	tokenFetcher := &authTokenFetcher{
+
+	tokenFetcher := authTokenFetcher{
 		Namespace:      namespace,
 		Audiences:      aud,
 		ServiceAccount: name,
 		k8sClient:      clientset.CoreV1(),
 	}
-
-	return stscreds.NewWebIdentityRoleProviderWithOptions(
-		sts.New(sess), roleArn, "external-secrets-provider-aws", tokenFetcher), nil
+	stsClient := sts.NewFromConfig(awscfg, func(o *sts.Options) {
+		o.EndpointResolverV2 = customEndpointResolver{}
+	})
+	return stscreds.NewWebIdentityRoleProvider(
+		stsClient, roleArn, tokenFetcher, func(opts *stscreds.WebIdentityRoleOptions) {
+			opts.RoleSessionName = "external-secrets-provider-aws"
+		}), nil
 }
 
-type STSProvider func(*session.Session) stsiface.STSAPI
-
-func DefaultSTSProvider(sess *session.Session) stsiface.STSAPI {
-	return sts.New(sess)
+type STSprovider interface {
+	AssumeRole(ctx context.Context, params *sts.AssumeRoleInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleOutput, error)
+	AssumeRoleWithSAML(ctx context.Context, params *sts.AssumeRoleWithSAMLInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleWithSAMLOutput, error)
+	AssumeRoleWithWebIdentity(ctx context.Context, params *sts.AssumeRoleWithWebIdentityInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleWithWebIdentityOutput, error)
+	AssumeRoot(ctx context.Context, params *sts.AssumeRootInput, optFns ...func(*sts.Options)) (*sts.AssumeRootOutput, error)
+	DecodeAuthorizationMessage(ctx context.Context, params *sts.DecodeAuthorizationMessageInput, optFns ...func(*sts.Options)) (*sts.DecodeAuthorizationMessageOutput, error)
 }
 
-// getAWSSession checks if an AWS session should be reused
-// it returns the aws session or an error.
-func getAWSSession(config *aws.Config, enableCache bool, name, kind, namespace, resourceVersion string) (*session.Session, error) {
-	key := cache.Key{
-		Name:      name,
-		Namespace: namespace,
-		Kind:      kind,
-	}
-
-	if enableCache {
-		sess, ok := sessionCache.Get(resourceVersion, key)
-		if ok {
-			log.Info("reusing aws session", "SecretStore", key.Name, "namespace", key.Namespace, "kind", key.Kind, "resourceversion", resourceVersion)
-			return sess.Copy(), nil
-		}
-	}
+type STSProvider func(aws.Config) STSprovider
 
-	handlers := defaults.Handlers()
-	handlers.Build.PushBack(request.WithAppendUserAgent("external-secrets"))
-	sess, err := session.NewSessionWithOptions(session.Options{
-		Config:   *config,
-		Handlers: handlers,
+func DefaultSTSProvider(cfg aws.Config) STSprovider {
+	stsClient := sts.NewFromConfig(cfg, func(o *sts.Options) {
+		o.EndpointResolverV2 = customEndpointResolver{}
 	})
-	if err != nil {
-		return nil, err
-	}
-
-	if enableCache {
-		sessionCache.Add(resourceVersion, key, sess.Copy())
-	}
-	return sess, nil
+	return stsClient
 }

pkg/provider/aws/auth/auth_test.go

@@ -20,11 +20,9 @@ import (
 	"testing"
 	"time"
 
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/credentials"
-	awssess "github.com/aws/aws-sdk-go/aws/session"
-	"github.com/aws/aws-sdk-go/service/sts"
-	"github.com/aws/aws-sdk-go/service/sts/stsiface"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
+	ststypes "github.com/aws/aws-sdk-go-v2/service/sts/types"
 	"github.com/stretchr/testify/assert"
 	authv1 "k8s.io/api/authentication/v1"
 	v1 "k8s.io/api/core/v1"
@@ -43,6 +41,18 @@ const (
 	otherNsName         = "other-ns"
 )
 
+func TestSTSResolver(t *testing.T) {
+	endpointEnvKey := STSEndpointEnv
+	endpointURL := "http://sts.foo"
+
+	t.Setenv(endpointEnvKey, endpointURL)
+
+	f, err := customEndpointResolver{}.ResolveEndpoint(context.Background(), sts.EndpointParameters{})
+
+	assert.Nil(t, err)
+	assert.Equal(t, endpointURL, f.URI.String())
+}
+
 func TestNewSession(t *testing.T) {
 	rows := []TestSessionRow{
 		{
@@ -90,16 +100,16 @@ func TestNewSession(t *testing.T) {
 		},
 		{
 			name: "configure aws using environment variables + assume role",
-			stsProvider: func(*awssess.Session) stsiface.STSAPI {
+			stsProvider: func(cfg aws.Config) STSprovider {
 				return &fakesess.AssumeRoler{
 					AssumeRoleFunc: func(input *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error) {
 						assert.Equal(t, *input.RoleArn, "foo-bar-baz")
 						return &sts.AssumeRoleOutput{
-							AssumedRoleUser: &sts.AssumedRoleUser{
+							AssumedRoleUser: &ststypes.AssumedRoleUser{
 								Arn:           aws.String("1123132"),
 								AssumedRoleId: aws.String("xxxxx"),
 							},
-							Credentials: &sts.Credentials{
+							Credentials: &ststypes.Credentials{
 								AccessKeyId:     aws.String("3333"),
 								SecretAccessKey: aws.String("4444"),
 								Expiration:      aws.Time(time.Now().Add(time.Hour)),
@@ -365,20 +375,19 @@ func TestNewSession(t *testing.T) {
 					},
 				},
 			},
-			jwtProvider: func(name, namespace, roleArn string, aud []string, region string) (credentials.Provider, error) {
+			jwtProvider: func(name, namespace, roleArn string, aud []string, region string) (aws.CredentialsProvider, error) {
 				assert.Equal(t, myServiceAccountKey, name)
 				assert.Equal(t, otherNsName, namespace)
 				assert.Equal(t, "my-sa-role", roleArn)
 				return fakesess.CredentialsProvider{
-					RetrieveFunc: func() (credentials.Value, error) {
-						return credentials.Value{
+					RetrieveFunc: func() (aws.Credentials, error) {
+						return aws.Credentials{
 							AccessKeyID:     "3333",
 							SecretAccessKey: "4444",
 							SessionToken:    "1234",
-							ProviderName:    "fake",
+							Source:          "fake",
 						}, nil
 					},
-					IsExpiredFunc: func() bool { return false },
 				}, nil
 			},
 			store: &esv1.ClusterSecretStore{
@@ -407,16 +416,16 @@ func TestNewSession(t *testing.T) {
 		},
 		{
 			name: "configure aws using environment variables + assume role + check external id",
-			stsProvider: func(*awssess.Session) stsiface.STSAPI {
+			stsProvider: func(cfg aws.Config) STSprovider {
 				return &fakesess.AssumeRoler{
 					AssumeRoleFunc: func(input *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error) {
 						assert.Equal(t, *input.ExternalId, "12345678")
 						return &sts.AssumeRoleOutput{
-							AssumedRoleUser: &sts.AssumedRoleUser{
+							AssumedRoleUser: &ststypes.AssumedRoleUser{
 								Arn:           aws.String("1123132"),
 								AssumedRoleId: aws.String("xxxxx"),
 							},
-							Credentials: &sts.Credentials{
+							Credentials: &ststypes.Credentials{
 								AccessKeyId:     aws.String("3333"),
 								SecretAccessKey: aws.String("4444"),
 								Expiration:      aws.Time(time.Now().Add(time.Hour)),
@@ -488,7 +497,13 @@ func testRow(t *testing.T, row TestSessionRow) {
 		},
 	})
 	assert.Nil(t, err)
-	s, err := New(context.Background(), row.store, kc, row.namespace, row.stsProvider, row.jwtProvider)
+	s, err := New(context.Background(), Opts{
+		Store:       row.store,
+		Kube:        kc,
+		Namespace:   row.namespace,
+		AssumeRoler: row.stsProvider,
+		JWTProvider: row.jwtProvider,
+	})
 	if !ErrorContains(err, row.expectErr) {
 		t.Errorf("expected error %s but found %s", row.expectErr, err.Error())
 	}
@@ -500,7 +515,7 @@ func testRow(t *testing.T, row TestSessionRow) {
 		t.Errorf("expected provider object, found nil")
 		return
 	}
-	creds, _ := s.Config.Credentials.Get()
+	creds, _ := s.Credentials.Retrieve(context.Background())
 	assert.Equal(t, row.expectedKeyID, creds.AccessKeyID)
 	assert.Equal(t, row.expectedSecretKey, creds.SecretAccessKey)
 }
@@ -509,17 +524,22 @@ func TestSMEnvCredentials(t *testing.T) {
 	k8sClient := clientfake.NewClientBuilder().Build()
 	t.Setenv("AWS_SECRET_ACCESS_KEY", "1111")
 	t.Setenv("AWS_ACCESS_KEY_ID", "2222")
-	s, err := New(context.Background(), &esv1.SecretStore{
-		Spec: esv1.SecretStoreSpec{
-			Provider: &esv1.SecretStoreProvider{
-				// defaults
-				AWS: &esv1.AWSProvider{},
+	s, err := New(context.Background(), Opts{
+		Kube:        k8sClient,
+		Namespace:   "example-ns",
+		AssumeRoler: DefaultSTSProvider,
+		Store: &esv1.SecretStore{
+			Spec: esv1.SecretStoreSpec{
+				Provider: &esv1.SecretStoreProvider{
+					// defaults
+					AWS: &esv1.AWSProvider{},
+				},
 			},
 		},
-	}, k8sClient, "example-ns", DefaultSTSProvider, nil)
+	})
 	assert.Nil(t, err)
 	assert.NotNil(t, s)
-	creds, err := s.Config.Credentials.Get()
+	creds, err := s.Credentials.Retrieve(context.Background())
 	assert.Nil(t, err)
 	assert.Equal(t, creds.AccessKeyID, "2222")
 	assert.Equal(t, creds.SecretAccessKey, "1111")
@@ -531,11 +551,11 @@ func TestSMAssumeRole(t *testing.T) {
 		AssumeRoleFunc: func(input *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error) {
 			if *input.RoleArn == "chained-role-1" {
 				return &sts.AssumeRoleOutput{
-					AssumedRoleUser: &sts.AssumedRoleUser{
+					AssumedRoleUser: &ststypes.AssumedRoleUser{
 						Arn:           aws.String("1111111"),
 						AssumedRoleId: aws.String("yyyyy1"),
 					},
-					Credentials: &sts.Credentials{
+					Credentials: &ststypes.Credentials{
 						AccessKeyId:     aws.String("77771"),
 						SecretAccessKey: aws.String("88881"),
 						Expiration:      aws.Time(time.Now().Add(time.Hour)),
@@ -544,11 +564,11 @@ func TestSMAssumeRole(t *testing.T) {
 				}, nil
 			} else if *input.RoleArn == "chained-role-2" {
 				return &sts.AssumeRoleOutput{
-					AssumedRoleUser: &sts.AssumedRoleUser{
+					AssumedRoleUser: &ststypes.AssumedRoleUser{
 						Arn:           aws.String("2222222"),
 						AssumedRoleId: aws.String("yyyyy2"),
 					},
-					Credentials: &sts.Credentials{
+					Credentials: &ststypes.Credentials{
 						AccessKeyId:     aws.String("77772"),
 						SecretAccessKey: aws.String("88882"),
 						Expiration:      aws.Time(time.Now().Add(time.Hour)),
@@ -559,11 +579,11 @@ func TestSMAssumeRole(t *testing.T) {
 				// make sure the correct role is passed in
 				assert.Equal(t, *input.RoleArn, "my-awesome-role")
 				return &sts.AssumeRoleOutput{
-					AssumedRoleUser: &sts.AssumedRoleUser{
+					AssumedRoleUser: &ststypes.AssumedRoleUser{
 						Arn:           aws.String("1123132"),
 						AssumedRoleId: aws.String("xxxxx"),
 					},
-					Credentials: &sts.Credentials{
+					Credentials: &ststypes.Credentials{
 						AccessKeyId:     aws.String("3333"),
 						SecretAccessKey: aws.String("4444"),
 						Expiration:      aws.Time(time.Now().Add(time.Hour)),
@@ -575,39 +595,44 @@ func TestSMAssumeRole(t *testing.T) {
 	}
 	t.Setenv("AWS_SECRET_ACCESS_KEY", "1111")
 	t.Setenv("AWS_ACCESS_KEY_ID", "2222")
-	s, err := New(context.Background(), &esv1.SecretStore{
-		Spec: esv1.SecretStoreSpec{
-			Provider: &esv1.SecretStoreProvider{
-				// do assume role!
-				AWS: &esv1.AWSProvider{
-					Role:            "my-awesome-role",
-					AdditionalRoles: []string{"chained-role-1", "chained-role-2"},
+	s, err := New(context.Background(), Opts{
+		Kube:      k8sClient,
+		Namespace: "example-ns",
+		Store: &esv1.SecretStore{
+			Spec: esv1.SecretStoreSpec{
+				Provider: &esv1.SecretStoreProvider{
+					// do assume role!
+					AWS: &esv1.AWSProvider{
+						Role:            "my-awesome-role",
+						AdditionalRoles: []string{"chained-role-1", "chained-role-2"},
+					},
 				},
 			},
 		},
-	}, k8sClient, "example-ns", func(se *awssess.Session) stsiface.STSAPI {
-		// check if the correct temporary credentials were used
-		creds, err := se.Config.Credentials.Get()
-		assert.Nil(t, err)
-		if creds.SessionToken == "" {
-			// called with credentials from envvars
-			assert.Equal(t, creds.AccessKeyID, "2222")
-			assert.Equal(t, creds.SecretAccessKey, "1111")
-		} else if creds.SessionToken == "99991" {
-			// called with chained role 1's credentials
-			assert.Equal(t, creds.AccessKeyID, "77771")
-			assert.Equal(t, creds.SecretAccessKey, "88881")
-		} else {
-			// called with chained role 2's credentials
-			assert.Equal(t, creds.AccessKeyID, "77772")
-			assert.Equal(t, creds.SecretAccessKey, "88882")
-		}
-		return sts
-	}, nil)
+		AssumeRoler: func(cfg aws.Config) STSprovider {
+			// check if the correct temporary credentials were used
+			creds, err := cfg.Credentials.Retrieve(context.Background())
+			assert.Nil(t, err)
+			if creds.SessionToken == "" {
+				// called with credentials from envvars
+				assert.Equal(t, creds.AccessKeyID, "2222")
+				assert.Equal(t, creds.SecretAccessKey, "1111")
+			} else if creds.SessionToken == "99991" {
+				// called with chained role 1's credentials
+				assert.Equal(t, creds.AccessKeyID, "77771")
+				assert.Equal(t, creds.SecretAccessKey, "88881")
+			} else {
+				// called with chained role 2's credentials
+				assert.Equal(t, creds.AccessKeyID, "77772")
+				assert.Equal(t, creds.SecretAccessKey, "88882")
+			}
+			return sts
+		},
+	})
 	assert.Nil(t, err)
 	assert.NotNil(t, s)
 
-	creds, err := s.Config.Credentials.Get()
+	creds, err := s.Credentials.Retrieve(context.Background())
 	assert.Nil(t, err)
 	assert.Equal(t, creds.AccessKeyID, "3333")
 	assert.Equal(t, creds.SecretAccessKey, "4444")

pkg/provider/aws/auth/fake/assumeroler.go

@@ -15,35 +15,33 @@ limitations under the License.
 package fake
 
 import (
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/credentials"
-	"github.com/aws/aws-sdk-go/aws/request"
-	"github.com/aws/aws-sdk-go/service/sts"
-	"github.com/aws/aws-sdk-go/service/sts/stsiface"
+	"context"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
 )
 
-type AssumeRoler struct {
-	stsiface.STSAPI
-	AssumeRoleFunc func(*sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error)
+type stsAPI interface {
+	AssumeRole(ctx context.Context, params *sts.AssumeRoleInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleOutput, error)
+	AssumeRoleWithSAML(ctx context.Context, params *sts.AssumeRoleWithSAMLInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleWithSAMLOutput, error)
+	AssumeRoleWithWebIdentity(ctx context.Context, params *sts.AssumeRoleWithWebIdentityInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleWithWebIdentityOutput, error)
+	AssumeRoot(ctx context.Context, params *sts.AssumeRootInput, optFns ...func(*sts.Options)) (*sts.AssumeRootOutput, error)
+	DecodeAuthorizationMessage(ctx context.Context, params *sts.DecodeAuthorizationMessageInput, optFns ...func(*sts.Options)) (*sts.DecodeAuthorizationMessageOutput, error)
 }
 
-func (f *AssumeRoler) AssumeRole(input *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error) {
-	return f.AssumeRoleFunc(input)
+type AssumeRoler struct {
+	stsAPI
+	AssumeRoleFunc func(input *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error)
 }
 
-func (f *AssumeRoler) AssumeRoleWithContext(_ aws.Context, input *sts.AssumeRoleInput, _ ...request.Option) (*sts.AssumeRoleOutput, error) {
-	return f.AssumeRoleFunc(input)
+func (f *AssumeRoler) AssumeRole(ctx context.Context, params *sts.AssumeRoleInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleOutput, error) {
+	return f.AssumeRoleFunc(params)
 }
 
 type CredentialsProvider struct {
-	RetrieveFunc  func() (credentials.Value, error)
-	IsExpiredFunc func() bool
+	RetrieveFunc func() (aws.Credentials, error)
 }
 
-func (t CredentialsProvider) Retrieve() (credentials.Value, error) {
+func (t CredentialsProvider) Retrieve(ctx context.Context) (aws.Credentials, error) {
 	return t.RetrieveFunc()
 }
-
-func (t CredentialsProvider) IsExpired() bool {
-	return t.IsExpiredFunc()
-}

pkg/provider/aws/auth/resolver.go

@@ -15,41 +15,35 @@ limitations under the License.
 package auth
 
 import (
+	"context"
+	"fmt"
+	"net/url"
 	"os"
 
-	"github.com/aws/aws-sdk-go/aws/endpoints"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
+	smithyendpoints "github.com/aws/smithy-go/endpoints"
 )
 
 const (
-	SecretsManagerEndpointEnv = "AWS_SECRETSMANAGER_ENDPOINT"
-	STSEndpointEnv            = "AWS_STS_ENDPOINT"
-	SSMEndpointEnv            = "AWS_SSM_ENDPOINT"
+	STSEndpointEnv = "AWS_STS_ENDPOINT"
 )
 
+type customEndpointResolver struct{}
+
 // ResolveEndpoint returns a ResolverFunc with
 // customizable endpoints.
-func ResolveEndpoint() endpoints.ResolverFunc {
-	customEndpoints := make(map[string]string)
-	if v := os.Getenv(SecretsManagerEndpointEnv); v != "" {
-		customEndpoints["secretsmanager"] = v
-	}
-	if v := os.Getenv(SSMEndpointEnv); v != "" {
-		customEndpoints["ssm"] = v
-	}
-	if v := os.Getenv(STSEndpointEnv); v != "" {
-		customEndpoints["sts"] = v
-	}
-	return ResolveEndpointWithServiceMap(customEndpoints)
-}
 
-func ResolveEndpointWithServiceMap(customEndpoints map[string]string) endpoints.ResolverFunc {
-	defaultResolver := endpoints.DefaultResolver()
-	return func(service, region string, opts ...func(*endpoints.Options)) (endpoints.ResolvedEndpoint, error) {
-		if ep, ok := customEndpoints[service]; ok {
-			return endpoints.ResolvedEndpoint{
-				URL: ep,
-			}, nil
+// should this reside somewhere else since it's specific to sts?
+func (c customEndpointResolver) ResolveEndpoint(ctx context.Context, params sts.EndpointParameters) (smithyendpoints.Endpoint, error) {
+	endpoint := smithyendpoints.Endpoint{}
+	if v := os.Getenv(STSEndpointEnv); v != "" {
+		url, err := url.Parse(v)
+		if err != nil {
+			return endpoint, fmt.Errorf("failed to parse sts endpoint %s: %w", v, err)
 		}
-		return defaultResolver.EndpointFor(service, region, opts...)
+		endpoint.URI = *url
+		return endpoint, nil
 	}
+	defaultResolver := sts.NewDefaultEndpointResolverV2()
+	return defaultResolver.ResolveEndpoint(ctx, params)
 }

pkg/provider/aws/auth/resolver_test.go

@@ -15,43 +15,23 @@ limitations under the License.
 package auth
 
 import (
+	"context"
 	"testing"
 
+	"github.com/aws/aws-sdk-go-v2/service/sts"
 	"github.com/stretchr/testify/assert"
 )
 
+// do we need this file now that resolving logic is isolated to each service?
+
 func TestResolver(t *testing.T) {
-	tbl := []struct {
-		env     string
-		service string
-		url     string
-	}{
-		{
-			env:     SecretsManagerEndpointEnv,
-			service: "secretsmanager",
-			url:     "http://sm.foo",
-		},
-		{
-			env:     SSMEndpointEnv,
-			service: "ssm",
-			url:     "http://ssm.foo",
-		},
-		{
-			env:     STSEndpointEnv,
-			service: "sts",
-			url:     "http://sts.foo",
-		},
-	}
-
-	for _, item := range tbl {
-		t.Setenv(item.env, item.url)
-	}
-
-	f := ResolveEndpoint()
-
-	for _, item := range tbl {
-		ep, err := f.EndpointFor(item.service, "")
-		assert.Nil(t, err)
-		assert.Equal(t, item.url, ep.URL)
-	}
+	endpointEnvKey := STSEndpointEnv
+	endpointURL := "http://sts.foo"
+
+	t.Setenv(endpointEnvKey, endpointURL)
+
+	f, err := customEndpointResolver{}.ResolveEndpoint(context.Background(), sts.EndpointParameters{})
+
+	assert.Nil(t, err)
+	assert.Equal(t, endpointURL, f.URI.String())
 }

pkg/provider/aws/auth/token_fetcher.go

@@ -15,9 +15,9 @@ limitations under the License.
 package auth
 
 import (
+	"context"
 	"fmt"
 
-	"github.com/aws/aws-sdk-go/aws/credentials"
 	authv1 "k8s.io/api/authentication/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
@@ -36,11 +36,11 @@ type authTokenFetcher struct {
 	k8sClient      corev1.CoreV1Interface
 }
 
-// FetchToken satisfies the stscreds.TokenFetcher interface
+// GetIdentityToken satisfies the stscreds.IdentityTokenRetriever interface
 // it is used to generate service account tokens which are consumed by the aws sdk.
-func (p authTokenFetcher) FetchToken(ctx credentials.Context) ([]byte, error) {
+func (p authTokenFetcher) GetIdentityToken() ([]byte, error) {
 	log.V(1).Info("fetching token", "ns", p.Namespace, "sa", p.ServiceAccount)
-	tokRsp, err := p.k8sClient.ServiceAccounts(p.Namespace).CreateToken(ctx, p.ServiceAccount, &authv1.TokenRequest{
+	tokRsp, err := p.k8sClient.ServiceAccounts(p.Namespace).CreateToken(context.Background(), p.ServiceAccount, &authv1.TokenRequest{
 		Spec: authv1.TokenRequestSpec{
 			Audiences: p.Audiences,
 		},

pkg/provider/aws/auth/token_fetcher_test.go

@@ -15,7 +15,6 @@ limitations under the License.
 package auth
 
 import (
-	"context"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -29,7 +28,7 @@ func TestTokenFetcher(t *testing.T) {
 		Namespace:      "example",
 		k8sClient:      fake.NewCreateTokenMock().WithToken("FAKETOKEN"),
 	}
-	token, err := tf.FetchToken(context.Background())
+	token, err := tf.GetIdentityToken()
 	assert.Nil(t, err)
 	assert.Equal(t, []byte("FAKETOKEN"), token)
 }

pkg/provider/aws/parameterstore/fake/fake.go

@@ -18,90 +18,89 @@ import (
 	"context"
 	"errors"
 
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/request"
-	"github.com/aws/aws-sdk-go/service/ssm"
+	"github.com/aws/aws-sdk-go-v2/service/ssm"
 	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
 )
 
 // Client implements the aws parameterstore interface.
 type Client struct {
-	GetParameterWithContextFn           GetParameterWithContextFn
-	GetParametersByPathWithContextFn    GetParametersByPathWithContextFn
-	PutParameterWithContextFn           PutParameterWithContextFn
-	PutParameterWithContextCalledN      int
-	PutParameterWithContextFnCalledWith [][]*ssm.PutParameterInput
-	DeleteParameterWithContextFn        DeleteParameterWithContextFn
-	DescribeParametersWithContextFn     DescribeParametersWithContextFn
-	ListTagsForResourceWithContextFn    ListTagsForResourceWithContextFn
+	GetParameterFn           GetParameterFn
+	GetParametersByPathFn    GetParametersByPathFn
+	PutParameterFn           PutParameterFn
+	PutParameterCalledN      int
+	PutParameterFnCalledWith [][]*ssm.PutParameterInput
+	DeleteParameterFn        DeleteParameterFn
+	DescribeParametersFn     DescribeParametersFn
+	ListTagsForResourceFn    ListTagsForResourceFn
 }
 
-type GetParameterWithContextFn func(aws.Context, *ssm.GetParameterInput, ...request.Option) (*ssm.GetParameterOutput, error)
-type GetParametersByPathWithContextFn func(aws.Context, *ssm.GetParametersByPathInput, ...request.Option) (*ssm.GetParametersByPathOutput, error)
-type PutParameterWithContextFn func(aws.Context, *ssm.PutParameterInput, ...request.Option) (*ssm.PutParameterOutput, error)
-type DescribeParametersWithContextFn func(aws.Context, *ssm.DescribeParametersInput, ...request.Option) (*ssm.DescribeParametersOutput, error)
-type ListTagsForResourceWithContextFn func(aws.Context, *ssm.ListTagsForResourceInput, ...request.Option) (*ssm.ListTagsForResourceOutput, error)
-type DeleteParameterWithContextFn func(ctx aws.Context, input *ssm.DeleteParameterInput, opts ...request.Option) (*ssm.DeleteParameterOutput, error)
+type GetParameterFn func(context.Context, *ssm.GetParameterInput, ...func(*ssm.Options)) (*ssm.GetParameterOutput, error)
+type GetParametersByPathFn func(context.Context, *ssm.GetParametersByPathInput, ...func(*ssm.Options)) (*ssm.GetParametersByPathOutput, error)
+type PutParameterFn func(context.Context, *ssm.PutParameterInput, ...func(*ssm.Options)) (*ssm.PutParameterOutput, error)
+type DescribeParametersFn func(context.Context, *ssm.DescribeParametersInput, ...func(*ssm.Options)) (*ssm.DescribeParametersOutput, error)
+type ListTagsForResourceFn func(context.Context, *ssm.ListTagsForResourceInput, ...func(*ssm.Options)) (*ssm.ListTagsForResourceOutput, error)
+type DeleteParameterFn func(ctx context.Context, input *ssm.DeleteParameterInput, opts ...func(*ssm.Options)) (*ssm.DeleteParameterOutput, error)
 
-func (sm *Client) ListTagsForResourceWithContext(ctx aws.Context, input *ssm.ListTagsForResourceInput, options ...request.Option) (*ssm.ListTagsForResourceOutput, error) {
-	return sm.ListTagsForResourceWithContextFn(ctx, input, options...)
+func (sm *Client) ListTagsForResource(ctx context.Context, input *ssm.ListTagsForResourceInput, options ...func(*ssm.Options)) (*ssm.ListTagsForResourceOutput, error) {
+	return sm.ListTagsForResourceFn(ctx, input, options...)
 }
 
-func NewListTagsForResourceWithContextFn(output *ssm.ListTagsForResourceOutput, err error) ListTagsForResourceWithContextFn {
-	return func(aws.Context, *ssm.ListTagsForResourceInput, ...request.Option) (*ssm.ListTagsForResourceOutput, error) {
+func NewListTagsForResourceFn(output *ssm.ListTagsForResourceOutput, err error) ListTagsForResourceFn {
+	return func(context.Context, *ssm.ListTagsForResourceInput, ...func(*ssm.Options)) (*ssm.ListTagsForResourceOutput, error) {
 		return output, err
 	}
 }
 
-func (sm *Client) DeleteParameterWithContext(ctx aws.Context, input *ssm.DeleteParameterInput, opts ...request.Option) (*ssm.DeleteParameterOutput, error) {
-	return sm.DeleteParameterWithContextFn(ctx, input, opts...)
+func (sm *Client) DeleteParameter(ctx context.Context, input *ssm.DeleteParameterInput, opts ...func(*ssm.Options)) (*ssm.DeleteParameterOutput, error) {
+	return sm.DeleteParameterFn(ctx, input, opts...)
 }
 
-func NewDeleteParameterWithContextFn(output *ssm.DeleteParameterOutput, err error) DeleteParameterWithContextFn {
-	return func(aws.Context, *ssm.DeleteParameterInput, ...request.Option) (*ssm.DeleteParameterOutput, error) {
+func NewDeleteParameterFn(output *ssm.DeleteParameterOutput, err error) DeleteParameterFn {
+	return func(context.Context, *ssm.DeleteParameterInput, ...func(*ssm.Options)) (*ssm.DeleteParameterOutput, error) {
 		return output, err
 	}
 }
 
-func (sm *Client) GetParameterWithContext(ctx aws.Context, input *ssm.GetParameterInput, options ...request.Option) (*ssm.GetParameterOutput, error) {
-	return sm.GetParameterWithContextFn(ctx, input, options...)
+func (sm *Client) GetParameter(ctx context.Context, input *ssm.GetParameterInput, options ...func(*ssm.Options)) (*ssm.GetParameterOutput, error) {
+	return sm.GetParameterFn(ctx, input, options...)
 }
 
-func (sm *Client) GetParametersByPathWithContext(ctx aws.Context, input *ssm.GetParametersByPathInput, options ...request.Option) (*ssm.GetParametersByPathOutput, error) {
-	return sm.GetParametersByPathWithContextFn(ctx, input, options...)
+func (sm *Client) GetParametersByPath(ctx context.Context, input *ssm.GetParametersByPathInput, options ...func(*ssm.Options)) (*ssm.GetParametersByPathOutput, error) {
+	return sm.GetParametersByPathFn(ctx, input, options...)
 }
 
-func NewGetParameterWithContextFn(output *ssm.GetParameterOutput, err error) GetParameterWithContextFn {
-	return func(aws.Context, *ssm.GetParameterInput, ...request.Option) (*ssm.GetParameterOutput, error) {
+func NewGetParameterFn(output *ssm.GetParameterOutput, err error) GetParameterFn {
+	return func(context.Context, *ssm.GetParameterInput, ...func(*ssm.Options)) (*ssm.GetParameterOutput, error) {
 		return output, err
 	}
 }
 
-func (sm *Client) DescribeParametersWithContext(ctx context.Context, input *ssm.DescribeParametersInput, options ...request.Option) (*ssm.DescribeParametersOutput, error) {
-	return sm.DescribeParametersWithContextFn(ctx, input, options...)
+func (sm *Client) DescribeParameters(ctx context.Context, input *ssm.DescribeParametersInput, options ...func(*ssm.Options)) (*ssm.DescribeParametersOutput, error) {
+	return sm.DescribeParametersFn(ctx, input, options...)
 }
 
-func NewDescribeParametersWithContextFn(output *ssm.DescribeParametersOutput, err error) DescribeParametersWithContextFn {
-	return func(aws.Context, *ssm.DescribeParametersInput, ...request.Option) (*ssm.DescribeParametersOutput, error) {
+func NewDescribeParametersFn(output *ssm.DescribeParametersOutput, err error) DescribeParametersFn {
+	return func(context.Context, *ssm.DescribeParametersInput, ...func(*ssm.Options)) (*ssm.DescribeParametersOutput, error) {
 		return output, err
 	}
 }
 
-func (sm *Client) PutParameterWithContext(ctx aws.Context, input *ssm.PutParameterInput, options ...request.Option) (*ssm.PutParameterOutput, error) {
-	sm.PutParameterWithContextCalledN++
-	sm.PutParameterWithContextFnCalledWith = append(sm.PutParameterWithContextFnCalledWith, []*ssm.PutParameterInput{input})
-	return sm.PutParameterWithContextFn(ctx, input, options...)
+func (sm *Client) PutParameter(ctx context.Context, input *ssm.PutParameterInput, options ...func(*ssm.Options)) (*ssm.PutParameterOutput, error) {
+	sm.PutParameterCalledN++
+	sm.PutParameterFnCalledWith = append(sm.PutParameterFnCalledWith, []*ssm.PutParameterInput{input})
+	return sm.PutParameterFn(ctx, input, options...)
 }
 
-func NewPutParameterWithContextFn(output *ssm.PutParameterOutput, err error) PutParameterWithContextFn {
-	return func(aws.Context, *ssm.PutParameterInput, ...request.Option) (*ssm.PutParameterOutput, error) {
+func NewPutParameterFn(output *ssm.PutParameterOutput, err error) PutParameterFn {
+	return func(context.Context, *ssm.PutParameterInput, ...func(*ssm.Options)) (*ssm.PutParameterOutput, error) {
 		return output, err
 	}
 }
 
 func (sm *Client) WithValue(in *ssm.GetParameterInput, val *ssm.GetParameterOutput, err error) {
-	sm.GetParameterWithContextFn = func(ctx aws.Context, paramIn *ssm.GetParameterInput, options ...request.Option) (*ssm.GetParameterOutput, error) {
-		if !cmp.Equal(paramIn, in) {
+	sm.GetParameterFn = func(ctx context.Context, paramIn *ssm.GetParameterInput, options ...func(*ssm.Options)) (*ssm.GetParameterOutput, error) {
+		if !cmp.Equal(paramIn, in, cmpopts.IgnoreUnexported(ssm.GetParameterInput{})) {
 			return nil, errors.New("unexpected test argument")
 		}
 		return val, err

pkg/provider/aws/parameterstore/parameterstore.go

@@ -22,11 +22,10 @@ import (
 	"slices"
 	"strings"
 
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/awserr"
-	"github.com/aws/aws-sdk-go/aws/request"
-	"github.com/aws/aws-sdk-go/aws/session"
-	"github.com/aws/aws-sdk-go/service/ssm"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/ssm"
+	ssmTypes "github.com/aws/aws-sdk-go-v2/service/ssm/types"
+	"github.com/aws/smithy-go"
 	"github.com/tidwall/gjson"
 	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
@@ -44,16 +43,16 @@ import (
 
 // Tier defines policy details for PushSecret.
 type Tier struct {
-	Type     string                `json:"type"`
-	Policies *apiextensionsv1.JSON `json:"policies"`
+	Type     ssmTypes.ParameterTier `json:"type"`
+	Policies *apiextensionsv1.JSON  `json:"policies"`
 }
 
 // PushSecretMetadataSpec defines the spec for the metadata for PushSecret.
 type PushSecretMetadataSpec struct {
-	SecretType      string `json:"secretType,omitempty"`
-	KMSKeyID        string `json:"kmsKeyID,omitempty"`
-	Tier            Tier   `json:"tier,omitempty"`
-	EncodeAsDecoded bool   `json:"encodeAsDecoded,omitempty"`
+	SecretType      ssmTypes.ParameterType `json:"secretType,omitempty"`
+	KMSKeyID        string                 `json:"kmsKeyID,omitempty"`
+	Tier            Tier                   `json:"tier,omitempty"`
+	EncodeAsDecoded bool                   `json:"encodeAsDecoded,omitempty"`
 }
 
 // https://github.com/external-secrets/external-secrets/issues/644
@@ -66,7 +65,7 @@ var (
 
 // ParameterStore is a provider for AWS ParameterStore.
 type ParameterStore struct {
-	sess         *session.Session
+	cfg          *aws.Config
 	client       PMInterface
 	referentAuth bool
 	prefix       string
@@ -75,38 +74,41 @@ type ParameterStore struct {
 // PMInterface is a subset of the parameterstore api.
 // see: https://docs.aws.amazon.com/sdk-for-go/api/service/ssm/ssmiface/
 type PMInterface interface {
-	GetParameterWithContext(aws.Context, *ssm.GetParameterInput, ...request.Option) (*ssm.GetParameterOutput, error)
-	GetParametersByPathWithContext(aws.Context, *ssm.GetParametersByPathInput, ...request.Option) (*ssm.GetParametersByPathOutput, error)
-	PutParameterWithContext(aws.Context, *ssm.PutParameterInput, ...request.Option) (*ssm.PutParameterOutput, error)
-	DescribeParametersWithContext(aws.Context, *ssm.DescribeParametersInput, ...request.Option) (*ssm.DescribeParametersOutput, error)
-	ListTagsForResourceWithContext(aws.Context, *ssm.ListTagsForResourceInput, ...request.Option) (*ssm.ListTagsForResourceOutput, error)
-	DeleteParameterWithContext(ctx aws.Context, input *ssm.DeleteParameterInput, opts ...request.Option) (*ssm.DeleteParameterOutput, error)
+	GetParameter(ctx context.Context, input *ssm.GetParameterInput, opts ...func(*ssm.Options)) (*ssm.GetParameterOutput, error)
+	GetParametersByPath(ctx context.Context, input *ssm.GetParametersByPathInput, opts ...func(*ssm.Options)) (*ssm.GetParametersByPathOutput, error)
+	PutParameter(ctx context.Context, input *ssm.PutParameterInput, opts ...func(*ssm.Options)) (*ssm.PutParameterOutput, error)
+	DescribeParameters(ctx context.Context, input *ssm.DescribeParametersInput, opts ...func(*ssm.Options)) (*ssm.DescribeParametersOutput, error)
+	ListTagsForResource(ctx context.Context, input *ssm.ListTagsForResourceInput, opts ...func(*ssm.Options)) (*ssm.ListTagsForResourceOutput, error)
+	DeleteParameter(ctx context.Context, input *ssm.DeleteParameterInput, opts ...func(*ssm.Options)) (*ssm.DeleteParameterOutput, error)
 }
 
 const (
-	errUnexpectedFindOperator = "unexpected find operator"
-	errAccessDeniedException  = "AccessDeniedException"
+	errUnexpectedFindOperator    = "unexpected find operator"
+	errAccessDeniedException     = "AccessDeniedException"
+	errCodeAccessDeniedException = "AccessDeniedException"
 )
 
 // New constructs a ParameterStore Provider that is specific to a store.
-func New(sess *session.Session, cfg *aws.Config, prefix string, referentAuth bool) (*ParameterStore, error) {
+func New(ctx context.Context, cfg *aws.Config, prefix string, referentAuth bool) (*ParameterStore, error) {
 	return &ParameterStore{
-		sess:         sess,
+		cfg:          cfg,
 		referentAuth: referentAuth,
-		client:       ssm.New(sess, cfg),
-		prefix:       prefix,
+		client: ssm.NewFromConfig(*cfg, func(o *ssm.Options) {
+			o.EndpointResolverV2 = customEndpointResolver{}
+		}),
+		prefix: prefix,
 	}, nil
 }
 
-func (pm *ParameterStore) getTagsByName(ctx aws.Context, ref *ssm.GetParameterOutput) ([]*ssm.Tag, error) {
+func (pm *ParameterStore) getTagsByName(ctx context.Context, ref *ssm.GetParameterOutput) ([]ssmTypes.Tag, error) {
 	parameterType := "Parameter"
 
 	parameterTags := ssm.ListTagsForResourceInput{
 		ResourceId:   ref.Parameter.Name,
-		ResourceType: &parameterType,
+		ResourceType: ssmTypes.ResourceTypeForTagging(parameterType),
 	}
 
-	data, err := pm.client.ListTagsForResourceWithContext(ctx, &parameterTags)
+	data, err := pm.client.ListTagsForResource(ctx, &parameterTags)
 	metrics.ObserveAPICall(constants.ProviderAWSPS, constants.CallAWSPSListTagsForResource, err)
 	if err != nil {
 		return nil, fmt.Errorf("error listing tags %w", err)
@@ -120,11 +122,11 @@ func (pm *ParameterStore) DeleteSecret(ctx context.Context, remoteRef esv1.PushS
 	secretValue := ssm.GetParameterInput{
 		Name: &secretName,
 	}
-	existing, err := pm.client.GetParameterWithContext(ctx, &secretValue)
+	existing, err := pm.client.GetParameter(ctx, &secretValue)
 	metrics.ObserveAPICall(constants.ProviderAWSPS, constants.CallAWSPSGetParameter, err)
-	var awsError awserr.Error
-	ok := errors.As(err, &awsError)
-	if err != nil && (!ok || awsError.Code() != ssm.ErrCodeParameterNotFound) {
+	var parameterNotFoundErr *ssmTypes.ParameterNotFound
+	ok := errors.As(err, &parameterNotFoundErr)
+	if err != nil && !ok {
 		return fmt.Errorf("unexpected error getting parameter %v: %w", secretName, err)
 	}
 	if existing != nil && existing.Parameter != nil {
@@ -142,7 +144,7 @@ func (pm *ParameterStore) DeleteSecret(ctx context.Context, remoteRef esv1.PushS
 		deleteInput := &ssm.DeleteParameterInput{
 			Name: &secretName,
 		}
-		_, err = pm.client.DeleteParameterWithContext(ctx, deleteInput)
+		_, err = pm.client.DeleteParameter(ctx, deleteInput)
 		metrics.ObserveAPICall(constants.ProviderAWSPS, constants.CallAWSPSDeleteParameter, err)
 		if err != nil {
 			return fmt.Errorf("could not delete parameter %v: %w", secretName, err)
@@ -158,17 +160,16 @@ func (pm *ParameterStore) SecretExists(ctx context.Context, pushSecretRef esv1.P
 		Name: &secretName,
 	}
 
-	_, err := pm.client.GetParameterWithContext(ctx, &secretValue)
+	_, err := pm.client.GetParameter(ctx, &secretValue)
+
+	var resourceNotFoundErr *ssmTypes.ResourceNotFoundException
+	var parameterNotFoundErr *ssmTypes.ParameterNotFound
 
 	if err != nil {
-		var aerr awserr.Error
-		if ok := errors.As(err, &aerr); !ok {
-			return false, err
-		}
-		if aerr.Code() == ssm.ErrCodeResourceNotFoundException {
+		if errors.As(err, &resourceNotFoundErr) {
 			return false, nil
 		}
-		if aerr.Code() == ssm.ErrCodeParameterNotFound {
+		if errors.As(err, &parameterNotFoundErr) {
 			return false, nil
 		}
 		return false, err
@@ -203,7 +204,7 @@ func (pm *ParameterStore) PushSecret(ctx context.Context, secret *corev1.Secret,
 	secretRequest := ssm.PutParameterInput{
 		Name:      ptr.To(pm.prefix + data.GetRemoteKey()),
 		Value:     ptr.To(string(value)),
-		Type:      ptr.To(meta.Spec.SecretType),
+		Type:      meta.Spec.SecretType,
 		Overwrite: ptr.To(true),
 	}
 
@@ -211,8 +212,8 @@ func (pm *ParameterStore) PushSecret(ctx context.Context, secret *corev1.Secret,
 		secretRequest.KeyId = &meta.Spec.KMSKeyID
 	}
 
-	if meta.Spec.Tier.Type == "Advanced" {
-		secretRequest.Tier = ptr.To(meta.Spec.Tier.Type)
+	if meta.Spec.Tier.Type == ssmTypes.ParameterTierAdvanced {
+		secretRequest.Tier = meta.Spec.Tier.Type
 		if meta.Spec.Tier.Policies != nil {
 			secretRequest.Policies = ptr.To(string(meta.Spec.Tier.Policies.Raw))
 		}
@@ -223,11 +224,11 @@ func (pm *ParameterStore) PushSecret(ctx context.Context, secret *corev1.Secret,
 		WithDecryption: aws.Bool(true),
 	}
 
-	existing, err := pm.client.GetParameterWithContext(ctx, &secretValue)
+	existing, err := pm.client.GetParameter(ctx, &secretValue)
 	metrics.ObserveAPICall(constants.ProviderAWSPS, constants.CallAWSPSGetParameter, err)
-	var awsError awserr.Error
-	ok := errors.As(err, &awsError)
-	if err != nil && (!ok || awsError.Code() != ssm.ErrCodeParameterNotFound) {
+	var parameterNotFoundErr *ssmTypes.ParameterNotFound
+	ok := errors.As(err, &parameterNotFoundErr)
+	if err != nil && !ok {
 		return fmt.Errorf("unexpected error getting parameter %v: %w", secretName, err)
 	}
 
@@ -283,14 +284,14 @@ func (pm *ParameterStore) setExisting(ctx context.Context, existing *ssm.GetPara
 	return pm.setManagedRemoteParameter(ctx, secretRequest, false)
 }
 
-func isManagedByESO(tags []*ssm.Tag) bool {
-	return slices.ContainsFunc(tags, func(tag *ssm.Tag) bool {
+func isManagedByESO(tags []ssmTypes.Tag) bool {
+	return slices.ContainsFunc(tags, func(tag ssmTypes.Tag) bool {
 		return *tag.Key == managedBy && *tag.Value == externalSecrets
 	})
 }
 
 func (pm *ParameterStore) setManagedRemoteParameter(ctx context.Context, secretRequest ssm.PutParameterInput, createManagedByTags bool) error {
-	externalSecretsTag := ssm.Tag{
+	externalSecretsTag := ssmTypes.Tag{
 		Key:   &managedBy,
 		Value: &externalSecrets,
 	}
@@ -298,11 +299,11 @@ func (pm *ParameterStore) setManagedRemoteParameter(ctx context.Context, secretR
 	overwrite := true
 	secretRequest.Overwrite = &overwrite
 	if createManagedByTags {
-		secretRequest.Tags = append(secretRequest.Tags, &externalSecretsTag)
+		secretRequest.Tags = append(secretRequest.Tags, externalSecretsTag)
 		overwrite = false
 	}
 
-	_, err := pm.client.PutParameterWithContext(ctx, &secretRequest)
+	_, err := pm.client.PutParameter(ctx, &secretRequest)
 	metrics.ObserveAPICall(constants.ProviderAWSPS, constants.CallAWSPSPutParameter, err)
 	if err != nil {
 		return fmt.Errorf("unexpected error pushing parameter %v: %w", secretRequest.Name, err)
@@ -333,7 +334,7 @@ func (pm *ParameterStore) findByName(ctx context.Context, ref esv1.ExternalSecre
 	data := make(map[string][]byte)
 	var nextToken *string
 	for {
-		it, err := pm.client.GetParametersByPathWithContext(
+		it, err := pm.client.GetParametersByPath(
 			ctx,
 			&ssm.GetParametersByPathInput{
 				NextToken:      nextToken,
@@ -343,18 +344,13 @@ func (pm *ParameterStore) findByName(ctx context.Context, ref esv1.ExternalSecre
 			})
 		metrics.ObserveAPICall(constants.ProviderAWSPS, constants.CallAWSPSGetParametersByPath, err)
 		if err != nil {
-			/*
-				Check for AccessDeniedException when calling `GetParametersByPathWithContext`. If so,
-				use fallbackFindByName and `DescribeParametersWithContext`.
-				https://github.com/external-secrets/external-secrets/issues/1839#issuecomment-1489023522
-			*/
-			var awsError awserr.Error
-			if errors.As(err, &awsError) && awsError.Code() == errAccessDeniedException {
+			var apiErr smithy.APIError
+			if errors.As(err, &apiErr) && apiErr.ErrorCode() == errCodeAccessDeniedException {
 				logger.Info("GetParametersByPath: access denied. using fallback to describe parameters. It is recommended to add ssm:GetParametersByPath permissions", "path", ref.Path)
 				return pm.fallbackFindByName(ctx, ref)
 			}
 
-			return nil, err
+			return nil, fmt.Errorf("fetching parameters by path %s: %w", *ref.Path, err)
 		}
 
 		for _, param := range it.Parameters {
@@ -379,18 +375,18 @@ func (pm *ParameterStore) fallbackFindByName(ctx context.Context, ref esv1.Exter
 	if err != nil {
 		return nil, err
 	}
-	pathFilter := make([]*ssm.ParameterStringFilter, 0)
+	pathFilter := make([]ssmTypes.ParameterStringFilter, 0)
 	if ref.Path != nil {
-		pathFilter = append(pathFilter, &ssm.ParameterStringFilter{
+		pathFilter = append(pathFilter, ssmTypes.ParameterStringFilter{
 			Key:    aws.String("Path"),
 			Option: aws.String("Recursive"),
-			Values: []*string{ref.Path},
+			Values: []string{*ref.Path},
 		})
 	}
 	data := make(map[string][]byte)
 	var nextToken *string
 	for {
-		it, err := pm.client.DescribeParametersWithContext(
+		it, err := pm.client.DescribeParameters(
 			ctx,
 			&ssm.DescribeParametersInput{
 				NextToken:        nextToken,
@@ -419,27 +415,27 @@ func (pm *ParameterStore) fallbackFindByName(ctx context.Context, ref esv1.Exter
 
 // findByTags requires ssm:DescribeParameters,tag:GetResources IAM permission on `"Resource": "*"`.
 func (pm *ParameterStore) findByTags(ctx context.Context, ref esv1.ExternalSecretFind) (map[string][]byte, error) {
-	filters := make([]*ssm.ParameterStringFilter, 0)
+	filters := make([]ssmTypes.ParameterStringFilter, 0)
 	for k, v := range ref.Tags {
-		filters = append(filters, &ssm.ParameterStringFilter{
+		filters = append(filters, ssmTypes.ParameterStringFilter{
 			Key:    ptr.To(fmt.Sprintf("tag:%s", k)),
-			Values: []*string{ptr.To(v)},
+			Values: []string{v},
 			Option: ptr.To("Equals"),
 		})
 	}
 
 	if ref.Path != nil {
-		filters = append(filters, &ssm.ParameterStringFilter{
+		filters = append(filters, ssmTypes.ParameterStringFilter{
 			Key:    aws.String("Path"),
 			Option: aws.String("Recursive"),
-			Values: []*string{ref.Path},
+			Values: []string{*ref.Path},
 		})
 	}
 
 	data := make(map[string][]byte)
 	var nextToken *string
 	for {
-		it, err := pm.client.DescribeParametersWithContext(
+		it, err := pm.client.DescribeParameters(
 			ctx,
 			&ssm.DescribeParametersInput{
 				ParameterFilters: filters,
@@ -465,7 +461,7 @@ func (pm *ParameterStore) findByTags(ctx context.Context, ref esv1.ExternalSecre
 }
 
 func (pm *ParameterStore) fetchAndSet(ctx context.Context, data map[string][]byte, name string) error {
-	out, err := pm.client.GetParameterWithContext(ctx, &ssm.GetParameterInput{
+	out, err := pm.client.GetParameter(ctx, &ssm.GetParameterInput{
 		Name:           ptr.To(name),
 		WithDecryption: aws.Bool(true),
 	})
@@ -489,7 +485,7 @@ func (pm *ParameterStore) GetSecret(ctx context.Context, ref esv1.ExternalSecret
 	}
 	metrics.ObserveAPICall(constants.ProviderAWSPS, constants.CallAWSPSGetParameter, err)
 	nsf := esv1.NoSecretError{}
-	var nf *ssm.ParameterNotFound
+	var nf *ssmTypes.ParameterNotFound
 	if errors.As(err, &nf) || errors.As(err, &nsf) {
 		return nil, esv1.NoSecretErr
 	}
@@ -519,7 +515,7 @@ func (pm *ParameterStore) GetSecret(ctx context.Context, ref esv1.ExternalSecret
 
 func (pm *ParameterStore) getParameterTags(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) (*ssm.GetParameterOutput, error) {
 	param := ssm.GetParameterOutput{
-		Parameter: &ssm.Parameter{
+		Parameter: &ssmTypes.Parameter{
 			Name: pm.parameterNameWithVersion(ref),
 		},
 	}
@@ -532,7 +528,7 @@ func (pm *ParameterStore) getParameterTags(ctx context.Context, ref esv1.Externa
 		return nil, err
 	}
 	out := &ssm.GetParameterOutput{
-		Parameter: &ssm.Parameter{
+		Parameter: &ssmTypes.Parameter{
 			Value: &json,
 		},
 	}
@@ -540,7 +536,7 @@ func (pm *ParameterStore) getParameterTags(ctx context.Context, ref esv1.Externa
 }
 
 func (pm *ParameterStore) getParameterValue(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) (*ssm.GetParameterOutput, error) {
-	out, err := pm.client.GetParameterWithContext(ctx, &ssm.GetParameterInput{
+	out, err := pm.client.GetParameter(ctx, &ssm.GetParameterInput{
 		Name:           pm.parameterNameWithVersion(ref),
 		WithDecryption: aws.Bool(true),
 	})
@@ -591,7 +587,7 @@ func (pm *ParameterStore) Validate() (esv1.ValidationResult, error) {
 	if pm.referentAuth {
 		return esv1.ValidationResultUnknown, nil
 	}
-	_, err := pm.sess.Config.Credentials.Get()
+	_, err := pm.cfg.Credentials.Retrieve(context.Background())
 	if err != nil {
 		return esv1.ValidationResultError, err
 	}

pkg/provider/aws/parameterstore/parameterstore_test.go

@@ -20,9 +20,9 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/awserr"
-	"github.com/aws/aws-sdk-go/service/ssm"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/ssm"
+	ssmtypes "github.com/aws/aws-sdk-go-v2/service/ssm/types"
 	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -81,7 +81,7 @@ func makeValidAPIInput() *ssm.GetParameterInput {
 
 func makeValidAPIOutput() *ssm.GetParameterOutput {
 	return &ssm.GetParameterOutput{
-		Parameter: &ssm.Parameter{
+		Parameter: &ssmtypes.Parameter{
 			Value: aws.String("RRRRR"),
 		},
 	}
@@ -102,12 +102,24 @@ func makeValidParameterStoreTestCaseCustom(tweaks ...func(pstc *parameterstoreTe
 	return pstc
 }
 
+func TestSSMResolver(t *testing.T) {
+	endpointEnvKey := SSMEndpointEnv
+	endpointURL := "http://ssm.foo"
+
+	t.Setenv(endpointEnvKey, endpointURL)
+
+	f, err := customEndpointResolver{}.ResolveEndpoint(context.Background(), ssm.EndpointParameters{})
+
+	assert.Nil(t, err)
+	assert.Equal(t, endpointURL, f.URI.String())
+}
+
 func TestDeleteSecret(t *testing.T) {
 	fakeClient := fakeps.Client{}
 	parameterName := "parameter"
 	managedBy := "managed-by"
 	manager := "external-secrets"
-	ssmTag := ssm.Tag{
+	ssmTag := ssmtypes.Tag{
 		Key:   &managedBy,
 		Value: &manager,
 	}
@@ -135,12 +147,12 @@ func TestDeleteSecret(t *testing.T) {
 			args: args{
 				client: fakeClient,
 				getParameterOutput: &ssm.GetParameterOutput{
-					Parameter: &ssm.Parameter{
+					Parameter: &ssmtypes.Parameter{
 						Name: &parameterName,
 					},
 				},
 				listTagsOutput: &ssm.ListTagsForResourceOutput{
-					TagList: []*ssm.Tag{&ssmTag},
+					TagList: []ssmtypes.Tag{ssmTag},
 				},
 				deleteParameterOutput: nil,
 				getParameterError:     nil,
@@ -158,9 +170,11 @@ func TestDeleteSecret(t *testing.T) {
 				getParameterOutput:    nil,
 				listTagsOutput:        nil,
 				deleteParameterOutput: nil,
-				getParameterError:     awserr.New(ssm.ErrCodeParameterNotFound, "not here, sorry dude", nil),
-				listTagsError:         nil,
-				deleteParameterError:  nil,
+				getParameterError: &ssmtypes.ParameterNotFound{
+					Message: aws.String("not here, sorry dude"),
+				},
+				listTagsError:        nil,
+				deleteParameterError: nil,
 			},
 			want: want{
 				err: nil,
@@ -186,7 +200,7 @@ func TestDeleteSecret(t *testing.T) {
 			args: args{
 				client: fakeClient,
 				getParameterOutput: &ssm.GetParameterOutput{
-					Parameter: &ssm.Parameter{
+					Parameter: &ssmtypes.Parameter{
 						Name: &parameterName,
 					},
 				},
@@ -205,12 +219,12 @@ func TestDeleteSecret(t *testing.T) {
 			args: args{
 				client: fakeClient,
 				getParameterOutput: &ssm.GetParameterOutput{
-					Parameter: &ssm.Parameter{
+					Parameter: &ssmtypes.Parameter{
 						Name: &parameterName,
 					},
 				},
 				listTagsOutput: &ssm.ListTagsForResourceOutput{
-					TagList: []*ssm.Tag{},
+					TagList: []ssmtypes.Tag{},
 				},
 				deleteParameterOutput: nil,
 				getParameterError:     nil,
@@ -226,12 +240,12 @@ func TestDeleteSecret(t *testing.T) {
 			args: args{
 				client: fakeClient,
 				getParameterOutput: &ssm.GetParameterOutput{
-					Parameter: &ssm.Parameter{
+					Parameter: &ssmtypes.Parameter{
 						Name: &parameterName,
 					},
 				},
 				listTagsOutput: &ssm.ListTagsForResourceOutput{
-					TagList: []*ssm.Tag{&ssmTag},
+					TagList: []ssmtypes.Tag{ssmTag},
 				},
 				deleteParameterOutput: nil,
 				getParameterError:     nil,
@@ -251,9 +265,9 @@ func TestDeleteSecret(t *testing.T) {
 			ps := ParameterStore{
 				client: &tc.args.client,
 			}
-			tc.args.client.GetParameterWithContextFn = fakeps.NewGetParameterWithContextFn(tc.args.getParameterOutput, tc.args.getParameterError)
-			tc.args.client.ListTagsForResourceWithContextFn = fakeps.NewListTagsForResourceWithContextFn(tc.args.listTagsOutput, tc.args.listTagsError)
-			tc.args.client.DeleteParameterWithContextFn = fakeps.NewDeleteParameterWithContextFn(tc.args.deleteParameterOutput, tc.args.deleteParameterError)
+			tc.args.client.GetParameterFn = fakeps.NewGetParameterFn(tc.args.getParameterOutput, tc.args.getParameterError)
+			tc.args.client.ListTagsForResourceFn = fakeps.NewListTagsForResourceFn(tc.args.listTagsOutput, tc.args.listTagsError)
+			tc.args.client.DeleteParameterFn = fakeps.NewDeleteParameterFn(tc.args.deleteParameterOutput, tc.args.deleteParameterError)
 			err := ps.DeleteSecret(context.TODO(), ref)
 
 			// Error nil XOR tc.want.err nil
@@ -274,15 +288,15 @@ func TestDeleteSecret(t *testing.T) {
 const remoteKey = "fake-key"
 
 func TestPushSecret(t *testing.T) {
-	invalidParameters := errors.New(ssm.ErrCodeInvalidParameters)
-	alreadyExistsError := errors.New(ssm.ErrCodeAlreadyExistsException)
+	invalidParameters := &ssmtypes.InvalidParameters{}
+	alreadyExistsError := &ssmtypes.AlreadyExistsException{}
 	fakeSecret := &corev1.Secret{
 		Data: map[string][]byte{
 			fakeSecretKey: []byte(fakeValue),
 		},
 	}
 
-	managedByESO := ssm.Tag{
+	managedByESO := ssmtypes.Tag{
 		Key:   &managedBy,
 		Value: &externalSecrets,
 	}
@@ -291,26 +305,16 @@ func TestPushSecret(t *testing.T) {
 	getParameterOutput := &ssm.GetParameterOutput{}
 	describeParameterOutput := &ssm.DescribeParametersOutput{}
 	validListTagsForResourceOutput := &ssm.ListTagsForResourceOutput{
-		TagList: []*ssm.Tag{&managedByESO},
+		TagList: []ssmtypes.Tag{managedByESO},
 	}
 	noTagsResourceOutput := &ssm.ListTagsForResourceOutput{}
 
 	validGetParameterOutput := &ssm.GetParameterOutput{
-		Parameter: &ssm.Parameter{
-			ARN:              nil,
-			DataType:         nil,
-			LastModifiedDate: nil,
-			Name:             nil,
-			Selector:         nil,
-			SourceResult:     nil,
-			Type:             nil,
-			Value:            nil,
-			Version:          nil,
-		},
+		Parameter: &ssmtypes.Parameter{},
 	}
 
 	sameGetParameterOutput := &ssm.GetParameterOutput{
-		Parameter: &ssm.Parameter{
+		Parameter: &ssmtypes.Parameter{
 			Value: &fakeValue,
 		},
 	}
@@ -335,10 +339,10 @@ func TestPushSecret(t *testing.T) {
 			args: args{
 				store: makeValidParameterStore().Spec.Provider.AWS,
 				client: fakeps.Client{
-					PutParameterWithContextFn:        fakeps.NewPutParameterWithContextFn(putParameterOutput, nil),
-					GetParameterWithContextFn:        fakeps.NewGetParameterWithContextFn(getParameterOutput, nil),
-					DescribeParametersWithContextFn:  fakeps.NewDescribeParametersWithContextFn(describeParameterOutput, nil),
-					ListTagsForResourceWithContextFn: fakeps.NewListTagsForResourceWithContextFn(validListTagsForResourceOutput, nil),
+					PutParameterFn:        fakeps.NewPutParameterFn(putParameterOutput, nil),
+					GetParameterFn:        fakeps.NewGetParameterFn(getParameterOutput, nil),
+					DescribeParametersFn:  fakeps.NewDescribeParametersFn(describeParameterOutput, nil),
+					ListTagsForResourceFn: fakeps.NewListTagsForResourceFn(validListTagsForResourceOutput, nil),
 				},
 			},
 			want: want{
@@ -350,10 +354,10 @@ func TestPushSecret(t *testing.T) {
 			args: args{
 				store: makeValidParameterStore().Spec.Provider.AWS,
 				client: fakeps.Client{
-					PutParameterWithContextFn:        fakeps.NewPutParameterWithContextFn(putParameterOutput, nil),
-					GetParameterWithContextFn:        fakeps.NewGetParameterWithContextFn(getParameterOutput, invalidParameters),
-					DescribeParametersWithContextFn:  fakeps.NewDescribeParametersWithContextFn(describeParameterOutput, nil),
-					ListTagsForResourceWithContextFn: fakeps.NewListTagsForResourceWithContextFn(validListTagsForResourceOutput, nil),
+					PutParameterFn:        fakeps.NewPutParameterFn(putParameterOutput, nil),
+					GetParameterFn:        fakeps.NewGetParameterFn(getParameterOutput, invalidParameters),
+					DescribeParametersFn:  fakeps.NewDescribeParametersFn(describeParameterOutput, nil),
+					ListTagsForResourceFn: fakeps.NewListTagsForResourceFn(validListTagsForResourceOutput, nil),
 				},
 			},
 			want: want{
@@ -365,10 +369,10 @@ func TestPushSecret(t *testing.T) {
 			args: args{
 				store: makeValidParameterStore().Spec.Provider.AWS,
 				client: fakeps.Client{
-					PutParameterWithContextFn:        fakeps.NewPutParameterWithContextFn(putParameterOutput, alreadyExistsError),
-					GetParameterWithContextFn:        fakeps.NewGetParameterWithContextFn(getParameterOutput, nil),
-					DescribeParametersWithContextFn:  fakeps.NewDescribeParametersWithContextFn(describeParameterOutput, nil),
-					ListTagsForResourceWithContextFn: fakeps.NewListTagsForResourceWithContextFn(validListTagsForResourceOutput, nil),
+					PutParameterFn:        fakeps.NewPutParameterFn(putParameterOutput, alreadyExistsError),
+					GetParameterFn:        fakeps.NewGetParameterFn(getParameterOutput, nil),
+					DescribeParametersFn:  fakeps.NewDescribeParametersFn(describeParameterOutput, nil),
+					ListTagsForResourceFn: fakeps.NewListTagsForResourceFn(validListTagsForResourceOutput, nil),
 				},
 			},
 			want: want{
@@ -380,10 +384,10 @@ func TestPushSecret(t *testing.T) {
 			args: args{
 				store: makeValidParameterStore().Spec.Provider.AWS,
 				client: fakeps.Client{
-					PutParameterWithContextFn:        fakeps.NewPutParameterWithContextFn(putParameterOutput, nil),
-					GetParameterWithContextFn:        fakeps.NewGetParameterWithContextFn(validGetParameterOutput, nil),
-					DescribeParametersWithContextFn:  fakeps.NewDescribeParametersWithContextFn(describeParameterOutput, nil),
-					ListTagsForResourceWithContextFn: fakeps.NewListTagsForResourceWithContextFn(validListTagsForResourceOutput, nil),
+					PutParameterFn:        fakeps.NewPutParameterFn(putParameterOutput, nil),
+					GetParameterFn:        fakeps.NewGetParameterFn(validGetParameterOutput, nil),
+					DescribeParametersFn:  fakeps.NewDescribeParametersFn(describeParameterOutput, nil),
+					ListTagsForResourceFn: fakeps.NewListTagsForResourceFn(validListTagsForResourceOutput, nil),
 				},
 			},
 			want: want{
@@ -395,10 +399,10 @@ func TestPushSecret(t *testing.T) {
 			args: args{
 				store: makeValidParameterStore().Spec.Provider.AWS,
 				client: fakeps.Client{
-					PutParameterWithContextFn:        fakeps.NewPutParameterWithContextFn(putParameterOutput, nil),
-					GetParameterWithContextFn:        fakeps.NewGetParameterWithContextFn(validGetParameterOutput, nil),
-					DescribeParametersWithContextFn:  fakeps.NewDescribeParametersWithContextFn(describeParameterOutput, nil),
-					ListTagsForResourceWithContextFn: fakeps.NewListTagsForResourceWithContextFn(noTagsResourceOutput, nil),
+					PutParameterFn:        fakeps.NewPutParameterFn(putParameterOutput, nil),
+					GetParameterFn:        fakeps.NewGetParameterFn(validGetParameterOutput, nil),
+					DescribeParametersFn:  fakeps.NewDescribeParametersFn(describeParameterOutput, nil),
+					ListTagsForResourceFn: fakeps.NewListTagsForResourceFn(noTagsResourceOutput, nil),
 				},
 			},
 			want: want{
@@ -410,10 +414,10 @@ func TestPushSecret(t *testing.T) {
 			args: args{
 				store: makeValidParameterStore().Spec.Provider.AWS,
 				client: fakeps.Client{
-					PutParameterWithContextFn:        fakeps.NewPutParameterWithContextFn(putParameterOutput, nil),
-					GetParameterWithContextFn:        fakeps.NewGetParameterWithContextFn(validGetParameterOutput, nil),
-					DescribeParametersWithContextFn:  fakeps.NewDescribeParametersWithContextFn(describeParameterOutput, nil),
-					ListTagsForResourceWithContextFn: fakeps.NewListTagsForResourceWithContextFn(nil, errors.New("you shall not tag")),
+					PutParameterFn:        fakeps.NewPutParameterFn(putParameterOutput, nil),
+					GetParameterFn:        fakeps.NewGetParameterFn(validGetParameterOutput, nil),
+					DescribeParametersFn:  fakeps.NewDescribeParametersFn(describeParameterOutput, nil),
+					ListTagsForResourceFn: fakeps.NewListTagsForResourceFn(nil, errors.New("you shall not tag")),
 				},
 			},
 			want: want{
@@ -425,10 +429,10 @@ func TestPushSecret(t *testing.T) {
 			args: args{
 				store: makeValidParameterStore().Spec.Provider.AWS,
 				client: fakeps.Client{
-					PutParameterWithContextFn:        fakeps.NewPutParameterWithContextFn(putParameterOutput, nil),
-					GetParameterWithContextFn:        fakeps.NewGetParameterWithContextFn(sameGetParameterOutput, nil),
-					DescribeParametersWithContextFn:  fakeps.NewDescribeParametersWithContextFn(describeParameterOutput, nil),
-					ListTagsForResourceWithContextFn: fakeps.NewListTagsForResourceWithContextFn(validListTagsForResourceOutput, nil),
+					PutParameterFn:        fakeps.NewPutParameterFn(putParameterOutput, nil),
+					GetParameterFn:        fakeps.NewGetParameterFn(sameGetParameterOutput, nil),
+					DescribeParametersFn:  fakeps.NewDescribeParametersFn(describeParameterOutput, nil),
+					ListTagsForResourceFn: fakeps.NewListTagsForResourceFn(validListTagsForResourceOutput, nil),
 				},
 			},
 			want: want{
@@ -450,10 +454,10 @@ func TestPushSecret(t *testing.T) {
 					}`),
 				},
 				client: fakeps.Client{
-					PutParameterWithContextFn:        fakeps.NewPutParameterWithContextFn(putParameterOutput, nil),
-					GetParameterWithContextFn:        fakeps.NewGetParameterWithContextFn(sameGetParameterOutput, nil),
-					DescribeParametersWithContextFn:  fakeps.NewDescribeParametersWithContextFn(describeParameterOutput, nil),
-					ListTagsForResourceWithContextFn: fakeps.NewListTagsForResourceWithContextFn(validListTagsForResourceOutput, nil),
+					PutParameterFn:        fakeps.NewPutParameterFn(putParameterOutput, nil),
+					GetParameterFn:        fakeps.NewGetParameterFn(sameGetParameterOutput, nil),
+					DescribeParametersFn:  fakeps.NewDescribeParametersFn(describeParameterOutput, nil),
+					ListTagsForResourceFn: fakeps.NewListTagsForResourceFn(validListTagsForResourceOutput, nil),
 				},
 			},
 			want: want{
@@ -474,10 +478,10 @@ func TestPushSecret(t *testing.T) {
 					}`),
 				},
 				client: fakeps.Client{
-					PutParameterWithContextFn:        fakeps.NewPutParameterWithContextFn(putParameterOutput, nil),
-					GetParameterWithContextFn:        fakeps.NewGetParameterWithContextFn(sameGetParameterOutput, nil),
-					DescribeParametersWithContextFn:  fakeps.NewDescribeParametersWithContextFn(describeParameterOutput, nil),
-					ListTagsForResourceWithContextFn: fakeps.NewListTagsForResourceWithContextFn(validListTagsForResourceOutput, nil),
+					PutParameterFn:        fakeps.NewPutParameterFn(putParameterOutput, nil),
+					GetParameterFn:        fakeps.NewGetParameterFn(sameGetParameterOutput, nil),
+					DescribeParametersFn:  fakeps.NewDescribeParametersFn(describeParameterOutput, nil),
+					ListTagsForResourceFn: fakeps.NewListTagsForResourceFn(validListTagsForResourceOutput, nil),
 				},
 			},
 			want: want{
@@ -492,10 +496,10 @@ func TestPushSecret(t *testing.T) {
 					Raw: []byte(`{ fakeMetadataKey: "" }`),
 				},
 				client: fakeps.Client{
-					PutParameterWithContextFn:        fakeps.NewPutParameterWithContextFn(putParameterOutput, nil),
-					GetParameterWithContextFn:        fakeps.NewGetParameterWithContextFn(sameGetParameterOutput, nil),
-					DescribeParametersWithContextFn:  fakeps.NewDescribeParametersWithContextFn(describeParameterOutput, nil),
-					ListTagsForResourceWithContextFn: fakeps.NewListTagsForResourceWithContextFn(validListTagsForResourceOutput, nil),
+					PutParameterFn:        fakeps.NewPutParameterFn(putParameterOutput, nil),
+					GetParameterFn:        fakeps.NewGetParameterFn(sameGetParameterOutput, nil),
+					DescribeParametersFn:  fakeps.NewDescribeParametersFn(describeParameterOutput, nil),
+					ListTagsForResourceFn: fakeps.NewListTagsForResourceFn(validListTagsForResourceOutput, nil),
 				},
 			},
 			want: want{
@@ -517,15 +521,15 @@ func TestPushSecret(t *testing.T) {
 					}`),
 				},
 				client: fakeps.Client{
-					PutParameterWithContextFn: fakeps.NewPutParameterWithContextFn(putParameterOutput, nil),
-					GetParameterWithContextFn: fakeps.NewGetParameterWithContextFn(&ssm.GetParameterOutput{
-						Parameter: &ssm.Parameter{
-							Type:  aws.String("SecureString"),
+					PutParameterFn: fakeps.NewPutParameterFn(putParameterOutput, nil),
+					GetParameterFn: fakeps.NewGetParameterFn(&ssm.GetParameterOutput{
+						Parameter: &ssmtypes.Parameter{
+							Type:  ssmtypes.ParameterTypeSecureString,
 							Value: aws.String("sensitive"),
 						},
 					}, nil),
-					DescribeParametersWithContextFn:  fakeps.NewDescribeParametersWithContextFn(describeParameterOutput, nil),
-					ListTagsForResourceWithContextFn: fakeps.NewListTagsForResourceWithContextFn(validListTagsForResourceOutput, nil),
+					DescribeParametersFn:  fakeps.NewDescribeParametersFn(describeParameterOutput, nil),
+					ListTagsForResourceFn: fakeps.NewListTagsForResourceFn(validListTagsForResourceOutput, nil),
 				},
 			},
 			want: want{
@@ -567,15 +571,15 @@ func TestPushSecret(t *testing.T) {
 					}`),
 				},
 				client: fakeps.Client{
-					PutParameterWithContextFn: fakeps.NewPutParameterWithContextFn(putParameterOutput, nil),
-					GetParameterWithContextFn: fakeps.NewGetParameterWithContextFn(&ssm.GetParameterOutput{
-						Parameter: &ssm.Parameter{
-							Type:  aws.String("SecureString"),
+					PutParameterFn: fakeps.NewPutParameterFn(putParameterOutput, nil),
+					GetParameterFn: fakeps.NewGetParameterFn(&ssm.GetParameterOutput{
+						Parameter: &ssmtypes.Parameter{
+							Type:  ssmtypes.ParameterTypeSecureString,
 							Value: aws.String("sensitive"),
 						},
 					}, nil),
-					DescribeParametersWithContextFn:  fakeps.NewDescribeParametersWithContextFn(describeParameterOutput, nil),
-					ListTagsForResourceWithContextFn: fakeps.NewListTagsForResourceWithContextFn(validListTagsForResourceOutput, nil),
+					DescribeParametersFn:  fakeps.NewDescribeParametersFn(describeParameterOutput, nil),
+					ListTagsForResourceFn: fakeps.NewListTagsForResourceFn(validListTagsForResourceOutput, nil),
 				},
 			},
 			want: want{
@@ -616,7 +620,7 @@ func TestPushSecretWithPrefix(t *testing.T) {
 			fakeSecretKey: []byte(fakeValue),
 		},
 	}
-	managedByESO := ssm.Tag{
+	managedByESO := ssmtypes.Tag{
 		Key:   &managedBy,
 		Value: &externalSecrets,
 	}
@@ -624,14 +628,14 @@ func TestPushSecretWithPrefix(t *testing.T) {
 	getParameterOutput := &ssm.GetParameterOutput{}
 	describeParameterOutput := &ssm.DescribeParametersOutput{}
 	validListTagsForResourceOutput := &ssm.ListTagsForResourceOutput{
-		TagList: []*ssm.Tag{&managedByESO},
+		TagList: []ssmtypes.Tag{managedByESO},
 	}
 
 	client := fakeps.Client{
-		PutParameterWithContextFn:        fakeps.NewPutParameterWithContextFn(putParameterOutput, nil),
-		GetParameterWithContextFn:        fakeps.NewGetParameterWithContextFn(getParameterOutput, nil),
-		DescribeParametersWithContextFn:  fakeps.NewDescribeParametersWithContextFn(describeParameterOutput, nil),
-		ListTagsForResourceWithContextFn: fakeps.NewListTagsForResourceWithContextFn(validListTagsForResourceOutput, nil),
+		PutParameterFn:        fakeps.NewPutParameterFn(putParameterOutput, nil),
+		GetParameterFn:        fakeps.NewGetParameterFn(getParameterOutput, nil),
+		DescribeParametersFn:  fakeps.NewDescribeParametersFn(describeParameterOutput, nil),
+		ListTagsForResourceFn: fakeps.NewListTagsForResourceFn(validListTagsForResourceOutput, nil),
 	}
 
 	psd := fake.PushSecretData{SecretKey: fakeSecretKey, RemoteKey: remoteKey}
@@ -642,7 +646,7 @@ func TestPushSecretWithPrefix(t *testing.T) {
 	err := ps.PushSecret(context.TODO(), fakeSecret, psd)
 	require.NoError(t, err)
 
-	input := client.PutParameterWithContextFnCalledWith[0][0]
+	input := client.PutParameterFnCalledWith[0][0]
 	assert.Equal(t, "/test/this/thing/fake-key", *input.Name)
 }
 
@@ -652,7 +656,7 @@ func TestPushSecretWithoutKeyAndEncodedAsDecodedTrue(t *testing.T) {
 			fakeSecretKey: []byte(fakeValue),
 		},
 	}
-	managedByESO := ssm.Tag{
+	managedByESO := ssmtypes.Tag{
 		Key:   &managedBy,
 		Value: &externalSecrets,
 	}
@@ -660,14 +664,14 @@ func TestPushSecretWithoutKeyAndEncodedAsDecodedTrue(t *testing.T) {
 	getParameterOutput := &ssm.GetParameterOutput{}
 	describeParameterOutput := &ssm.DescribeParametersOutput{}
 	validListTagsForResourceOutput := &ssm.ListTagsForResourceOutput{
-		TagList: []*ssm.Tag{&managedByESO},
+		TagList: []ssmtypes.Tag{managedByESO},
 	}
 
 	client := fakeps.Client{
-		PutParameterWithContextFn:        fakeps.NewPutParameterWithContextFn(putParameterOutput, nil),
-		GetParameterWithContextFn:        fakeps.NewGetParameterWithContextFn(getParameterOutput, nil),
-		DescribeParametersWithContextFn:  fakeps.NewDescribeParametersWithContextFn(describeParameterOutput, nil),
-		ListTagsForResourceWithContextFn: fakeps.NewListTagsForResourceWithContextFn(validListTagsForResourceOutput, nil),
+		PutParameterFn:        fakeps.NewPutParameterFn(putParameterOutput, nil),
+		GetParameterFn:        fakeps.NewGetParameterFn(getParameterOutput, nil),
+		DescribeParametersFn:  fakeps.NewDescribeParametersFn(describeParameterOutput, nil),
+		ListTagsForResourceFn: fakeps.NewListTagsForResourceFn(validListTagsForResourceOutput, nil),
 	}
 
 	psd := fake.PushSecretData{RemoteKey: remoteKey, Metadata: &apiextensionsv1.JSON{Raw: []byte(`
@@ -683,7 +687,7 @@ spec:
 	err := ps.PushSecret(context.TODO(), fakeSecret, psd)
 	require.NoError(t, err)
 
-	input := client.PutParameterWithContextFnCalledWith[0][0]
+	input := client.PutParameterFnCalledWith[0][0]
 	assert.Equal(t, "{\"fakeSecretKey\":\"fakeValue\"}", *input.Value)
 }
 
@@ -694,27 +698,27 @@ func TestPushSecretCalledOnlyOnce(t *testing.T) {
 		},
 	}
 
-	managedByESO := ssm.Tag{
+	managedByESO := ssmtypes.Tag{
 		Key:   &managedBy,
 		Value: &externalSecrets,
 	}
 
 	putParameterOutput := &ssm.PutParameterOutput{}
 	validGetParameterOutput := &ssm.GetParameterOutput{
-		Parameter: &ssm.Parameter{
+		Parameter: &ssmtypes.Parameter{
 			Value: &fakeValue,
 		},
 	}
 	describeParameterOutput := &ssm.DescribeParametersOutput{}
 	validListTagsForResourceOutput := &ssm.ListTagsForResourceOutput{
-		TagList: []*ssm.Tag{&managedByESO},
+		TagList: []ssmtypes.Tag{managedByESO},
 	}
 
 	client := fakeps.Client{
-		PutParameterWithContextFn:        fakeps.NewPutParameterWithContextFn(putParameterOutput, nil),
-		GetParameterWithContextFn:        fakeps.NewGetParameterWithContextFn(validGetParameterOutput, nil),
-		DescribeParametersWithContextFn:  fakeps.NewDescribeParametersWithContextFn(describeParameterOutput, nil),
-		ListTagsForResourceWithContextFn: fakeps.NewListTagsForResourceWithContextFn(validListTagsForResourceOutput, nil),
+		PutParameterFn:        fakeps.NewPutParameterFn(putParameterOutput, nil),
+		GetParameterFn:        fakeps.NewGetParameterFn(validGetParameterOutput, nil),
+		DescribeParametersFn:  fakeps.NewDescribeParametersFn(describeParameterOutput, nil),
+		ListTagsForResourceFn: fakeps.NewListTagsForResourceFn(validListTagsForResourceOutput, nil),
 	}
 
 	psd := fake.PushSecretData{SecretKey: fakeSecretKey, RemoteKey: remoteKey}
@@ -724,7 +728,7 @@ func TestPushSecretCalledOnlyOnce(t *testing.T) {
 
 	require.NoError(t, ps.PushSecret(context.TODO(), fakeSecret, psd))
 
-	assert.Equal(t, 0, client.PutParameterWithContextCalledN)
+	assert.Equal(t, 0, client.PutParameterCalledN)
 }
 
 // test the ssm<->aws interface
@@ -801,7 +805,7 @@ func TestGetSecret(t *testing.T) {
 		output := ssm.ListTagsForResourceOutput{
 			TagList: getTagSlice(),
 		}
-		pstc.fakeClient.ListTagsForResourceWithContextFn = fakeps.NewListTagsForResourceWithContextFn(&output, nil)
+		pstc.fakeClient.ListTagsForResourceFn = fakeps.NewListTagsForResourceFn(&output, nil)
 		pstc.expectedSecret, _ = util.ParameterTagsToJSONString(getTagSlice())
 	}
 
@@ -811,7 +815,7 @@ func TestGetSecret(t *testing.T) {
 		output := ssm.ListTagsForResourceOutput{
 			TagList: getTagSlice(),
 		}
-		pstc.fakeClient.ListTagsForResourceWithContextFn = fakeps.NewListTagsForResourceWithContextFn(&output, nil)
+		pstc.fakeClient.ListTagsForResourceFn = fakeps.NewListTagsForResourceFn(&output, nil)
 		pstc.remoteRef.Property = "tagname2"
 		pstc.expectedSecret = "tagvalue2"
 	}
@@ -822,7 +826,7 @@ func TestGetSecret(t *testing.T) {
 		output := ssm.ListTagsForResourceOutput{
 			TagList: getTagSlice(),
 		}
-		pstc.fakeClient.ListTagsForResourceWithContextFn = fakeps.NewListTagsForResourceWithContextFn(&output, nil)
+		pstc.fakeClient.ListTagsForResourceFn = fakeps.NewListTagsForResourceFn(&output, nil)
 		pstc.remoteRef.Property = invalidProp
 		pstc.expectError = errInvalidProperty
 	}
@@ -873,7 +877,7 @@ func TestGetSecretMap(t *testing.T) {
 
 	// bad case: api error returned
 	setAPIError := func(pstc *parameterstoreTestCase) {
-		pstc.apiOutput.Parameter = &ssm.Parameter{}
+		pstc.apiOutput.Parameter = &ssmtypes.Parameter{}
 		pstc.expectError = "some api err"
 		pstc.apiErr = errors.New("some api err")
 	}
@@ -930,13 +934,13 @@ func ErrorContains(out error, want string) bool {
 	return strings.Contains(out.Error(), want)
 }
 
-func getTagSlice() []*ssm.Tag {
+func getTagSlice() []ssmtypes.Tag {
 	tagKey1 := "tagname1"
 	tagValue1 := "tagvalue1"
 	tagKey2 := "tagname2"
 	tagValue2 := "tagvalue2"
 
-	return []*ssm.Tag{
+	return []ssmtypes.Tag{
 		{
 			Key:   &tagKey1,
 			Value: &tagValue1,
@@ -950,14 +954,14 @@ func getTagSlice() []*ssm.Tag {
 
 func TestSecretExists(t *testing.T) {
 	parameterOutput := &ssm.GetParameterOutput{
-		Parameter: &ssm.Parameter{
+		Parameter: &ssmtypes.Parameter{
 			Value: aws.String("sensitive"),
 		},
 	}
 
 	blankParameterOutput := &ssm.GetParameterOutput{}
-	getParameterCorrectErr := ssm.ResourceNotFoundException{}
-	getParameterWrongErr := ssm.InvalidParameters{}
+	getParameterCorrectErr := ssmtypes.ResourceNotFoundException{}
+	getParameterWrongErr := ssmtypes.InvalidParameters{}
 
 	pushSecretDataWithoutProperty := fake.PushSecretData{SecretKey: "fake-secret-key", RemoteKey: fakeSecretKey, Property: ""}
 
@@ -980,7 +984,7 @@ func TestSecretExists(t *testing.T) {
 			args: args{
 				store: makeValidParameterStore().Spec.Provider.AWS,
 				client: fakeps.Client{
-					GetParameterWithContextFn: fakeps.NewGetParameterWithContextFn(parameterOutput, nil),
+					GetParameterFn: fakeps.NewGetParameterFn(parameterOutput, nil),
 				},
 				pushSecretData: pushSecretDataWithoutProperty,
 			},
@@ -993,7 +997,7 @@ func TestSecretExists(t *testing.T) {
 			args: args{
 				store: makeValidParameterStore().Spec.Provider.AWS,
 				client: fakeps.Client{
-					GetParameterWithContextFn: fakeps.NewGetParameterWithContextFn(blankParameterOutput, &getParameterCorrectErr),
+					GetParameterFn: fakeps.NewGetParameterFn(blankParameterOutput, &getParameterCorrectErr),
 				},
 				pushSecretData: pushSecretDataWithoutProperty,
 			},
@@ -1006,7 +1010,7 @@ func TestSecretExists(t *testing.T) {
 			args: args{
 				store: makeValidParameterStore().Spec.Provider.AWS,
 				client: fakeps.Client{
-					GetParameterWithContextFn: fakeps.NewGetParameterWithContextFn(blankParameterOutput, &getParameterWrongErr),
+					GetParameterFn: fakeps.NewGetParameterFn(blankParameterOutput, &getParameterWrongErr),
 				},
 				pushSecretData: pushSecretDataWithoutProperty,
 			},

pkg/provider/aws/parameterstore/resolver.go

@@ -0,0 +1,46 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package parameterstore
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+	"os"
+
+	"github.com/aws/aws-sdk-go-v2/service/ssm"
+	smithyendpoints "github.com/aws/smithy-go/endpoints"
+)
+
+// SSMEndpointEnv is the environment variable to use for Parameter Store endpoint.
+const SSMEndpointEnv = "AWS_SSM_ENDPOINT"
+
+// customEndpointResolver is a custom resolver for AWS Parameter Store endpoint.
+type customEndpointResolver struct{}
+
+// ResolveEndpoint resolves the endpoint for the Parameter Store service.
+func (c customEndpointResolver) ResolveEndpoint(ctx context.Context, params ssm.EndpointParameters) (smithyendpoints.Endpoint, error) {
+	endpoint := smithyendpoints.Endpoint{}
+	if v := os.Getenv(SSMEndpointEnv); v != "" {
+		url, err := url.Parse(v)
+		if err != nil {
+			return endpoint, fmt.Errorf("failed to parse ssm endpoint %s: %w", v, err)
+		}
+		endpoint.URI = *url
+		return endpoint, nil
+	}
+	defaultResolver := ssm.NewDefaultEndpointResolverV2()
+	return defaultResolver.ResolveEndpoint(ctx, params)
+}

pkg/provider/aws/provider.go

@@ -19,12 +19,11 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/aws/aws-sdk-go/aws"
-	awsclient "github.com/aws/aws-sdk-go/aws/client"
-	"github.com/aws/aws-sdk-go/aws/endpoints"
-	"github.com/aws/aws-sdk-go/aws/request"
-	"github.com/aws/aws-sdk-go/aws/session"
-	awssm "github.com/aws/aws-sdk-go/service/secretsmanager"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/aws/retry"
+	"github.com/aws/aws-sdk-go-v2/config"
+	awssm "github.com/aws/aws-sdk-go-v2/service/secretsmanager"
+	"github.com/aws/aws-sdk-go-v2/service/ssm"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
@@ -100,29 +99,27 @@ func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, e
 }
 
 func validateRegion(prov *esv1.AWSProvider) error {
-	resolver := endpoints.DefaultResolver()
-	partitions := resolver.(endpoints.EnumPartitions).Partitions()
-	found := false
-	for _, p := range partitions {
-		var serviceskey string
-		if prov.Service == esv1.AWSServiceSecretsManager {
-			serviceskey = "secretsmanager"
-		} else if prov.Service == esv1.AWSServiceParameterStore {
-			serviceskey = "ssm"
+	switch prov.Service {
+	case esv1.AWSServiceSecretsManager:
+		resolver := awssm.NewDefaultEndpointResolverV2()
+		_, err := resolver.ResolveEndpoint(context.TODO(), awssm.EndpointParameters{
+			Region: &prov.Region,
+		})
+		if err != nil {
+			return fmt.Errorf(errRegionNotFound, prov.Region)
 		}
-		service, ok := p.Services()[serviceskey]
-		if ok {
-			for region := range service.Endpoints() {
-				if region == prov.Region {
-					found = true
-				}
-			}
+		return nil
+	case esv1.AWSServiceParameterStore:
+		resolver := ssm.NewDefaultEndpointResolverV2()
+		_, err := resolver.ResolveEndpoint(context.TODO(), ssm.EndpointParameters{
+			Region: &prov.Region,
+		})
+		if err != nil {
+			return fmt.Errorf(errRegionNotFound, prov.Region)
 		}
+		return nil
 	}
-	if !found {
-		return fmt.Errorf(errRegionNotFound, prov.Region)
-	}
-	return nil
+	return fmt.Errorf(errUnknownProviderService, prov.Service)
 }
 
 func validateSecretsManagerConfig(prov *esv1.AWSProvider) error {
@@ -150,18 +147,26 @@ func newClient(ctx context.Context, store esv1.GenericStore, kube client.Client,
 	// when using referent namespace.
 	if util.IsReferentSpec(prov.Auth) && namespace == "" &&
 		store.GetObjectKind().GroupVersionKind().Kind == esv1.ClusterSecretStoreKind {
-		cfg = aws.NewConfig().WithRegion("eu-west-1").WithEndpointResolver(awsauth.ResolveEndpoint())
-		sess := &session.Session{Config: cfg}
+		cfg, err := config.LoadDefaultConfig(ctx, config.WithRegion("eu-west-1"))
+		if err != nil {
+			return nil, fmt.Errorf(errInitAWSProvider, err)
+		}
 		switch prov.Service {
 		case esv1.AWSServiceSecretsManager:
-			return secretsmanager.New(sess, cfg, prov.SecretsManager, storeSpec.Provider.AWS.Prefix, true)
+			return secretsmanager.New(ctx, &cfg, prov.SecretsManager, storeSpec.Provider.AWS.Prefix, true)
 		case esv1.AWSServiceParameterStore:
-			return parameterstore.New(sess, cfg, storeSpec.Provider.AWS.Prefix, true)
+			return parameterstore.New(ctx, &cfg, storeSpec.Provider.AWS.Prefix, true)
 		}
 		return nil, fmt.Errorf(errUnknownProviderService, prov.Service)
 	}
 
-	sess, err := awsauth.New(ctx, store, kube, namespace, assumeRoler, awsauth.DefaultJWTProvider)
+	cfg, err = awsauth.New(ctx, awsauth.Opts{
+		Store:       store,
+		Kube:        kube,
+		Namespace:   namespace,
+		AssumeRoler: assumeRoler,
+		JWTProvider: awsauth.DefaultJWTProvider,
+	})
 	if err != nil {
 		return nil, fmt.Errorf(errUnableCreateSession, err)
 	}
@@ -183,23 +188,42 @@ func newClient(ctx context.Context, store esv1.GenericStore, kube client.Client,
 		if err != nil {
 			return nil, fmt.Errorf(errInitAWSProvider, err)
 		}
-		awsRetryer := awsclient.DefaultRetryer{
-			NumMaxRetries:    retryAmount,
-			MinRetryDelay:    retryDuration,
-			MaxThrottleDelay: 120 * time.Second,
+		// awsRetryer := awsclient.DefaultRetryer{
+		// 	NumMaxRetries:    retryAmount,
+		// 	MinRetryDelay:    retryDuration,
+		// 	MaxThrottleDelay: 120 * time.Second,  Not sure how to set this in sdk go v2
+		// }
+
+		cfg.Retryer = func() aws.Retryer {
+			return retry.AddWithMaxAttempts(
+				retry.NewStandard(func(o *retry.StandardOptions) {
+					if retryDuration > 0 {
+						o.Backoff = fixedDelayer{delay: retryDuration}
+					}
+				}),
+				retryAmount,
+			)
 		}
-		cfg = request.WithRetryer(aws.NewConfig(), awsRetryer)
 	}
 
 	switch prov.Service {
 	case esv1.AWSServiceSecretsManager:
-		return secretsmanager.New(sess, cfg, prov.SecretsManager, storeSpec.Provider.AWS.Prefix, false)
+		return secretsmanager.New(ctx, cfg, prov.SecretsManager, storeSpec.Provider.AWS.Prefix, false)
 	case esv1.AWSServiceParameterStore:
-		return parameterstore.New(sess, cfg, storeSpec.Provider.AWS.Prefix, false)
+		return parameterstore.New(ctx, cfg, storeSpec.Provider.AWS.Prefix, false)
 	}
 	return nil, fmt.Errorf(errUnknownProviderService, prov.Service)
 }
 
+// Add this type at package level.
+type fixedDelayer struct {
+	delay time.Duration
+}
+
+func (f fixedDelayer) BackoffDelay(attempt int, err error) (time.Duration, error) {
+	return f.delay, nil
+}
+
 func init() {
 	esv1.Register(&Provider{}, &esv1.SecretStoreProvider{
 		AWS: &esv1.AWSProvider{},

pkg/provider/aws/provider_test.go

@@ -20,9 +20,7 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/session"
-	"github.com/aws/aws-sdk-go/service/sts/stsiface"
+	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -31,6 +29,7 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+	awsauth "github.com/external-secrets/external-secrets/pkg/provider/aws/auth"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/parameterstore"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/secretsmanager"
 )
@@ -522,7 +521,7 @@ func TestValidRetryInput(t *testing.T) {
 			"ak":  []byte("OK"),
 		},
 	}).Build()
-	provider := func(*session.Session) stsiface.STSAPI { return nil }
+	provider := func(aws.Config) awsauth.STSprovider { return nil }
 
 	_, err := newClient(ctx, spec, kube, "default", provider)
 

pkg/provider/aws/secretsmanager/fake/fake.go

@@ -16,43 +16,43 @@ package fake
 
 import (
 	"bytes"
+	"context"
 	"errors"
 	"fmt"
 	"time"
 
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/request"
-	awssm "github.com/aws/aws-sdk-go/service/secretsmanager"
+	awssm "github.com/aws/aws-sdk-go-v2/service/secretsmanager"
 	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"k8s.io/utils/ptr"
 )
 
 // Client implements the aws secretsmanager interface.
 type Client struct {
-	ExecutionCounter                 int
-	valFn                            map[string]func(*awssm.GetSecretValueInput) (*awssm.GetSecretValueOutput, error)
-	CreateSecretWithContextFn        CreateSecretWithContextFn
-	GetSecretValueWithContextFn      GetSecretValueWithContextFn
-	PutSecretValueWithContextFn      PutSecretValueWithContextFn
-	DescribeSecretWithContextFn      DescribeSecretWithContextFn
-	DeleteSecretWithContextFn        DeleteSecretWithContextFn
-	ListSecretsFn                    ListSecretsFn
-	BatchGetSecretValueWithContextFn BatchGetSecretValueWithContextFn
-}
-
-type CreateSecretWithContextFn func(aws.Context, *awssm.CreateSecretInput, ...request.Option) (*awssm.CreateSecretOutput, error)
-type GetSecretValueWithContextFn func(aws.Context, *awssm.GetSecretValueInput, ...request.Option) (*awssm.GetSecretValueOutput, error)
-type PutSecretValueWithContextFn func(aws.Context, *awssm.PutSecretValueInput, ...request.Option) (*awssm.PutSecretValueOutput, error)
-type DescribeSecretWithContextFn func(aws.Context, *awssm.DescribeSecretInput, ...request.Option) (*awssm.DescribeSecretOutput, error)
-type DeleteSecretWithContextFn func(ctx aws.Context, input *awssm.DeleteSecretInput, opts ...request.Option) (*awssm.DeleteSecretOutput, error)
-type ListSecretsFn func(ctx aws.Context, input *awssm.ListSecretsInput, opts ...request.Option) (*awssm.ListSecretsOutput, error)
-type BatchGetSecretValueWithContextFn func(aws.Context, *awssm.BatchGetSecretValueInput, ...request.Option) (*awssm.BatchGetSecretValueOutput, error)
-
-func (sm Client) CreateSecretWithContext(ctx aws.Context, input *awssm.CreateSecretInput, options ...request.Option) (*awssm.CreateSecretOutput, error) {
-	return sm.CreateSecretWithContextFn(ctx, input, options...)
-}
-
-func NewCreateSecretWithContextFn(output *awssm.CreateSecretOutput, err error, expectedSecretBinary ...[]byte) CreateSecretWithContextFn {
-	return func(ctx aws.Context, actualInput *awssm.CreateSecretInput, options ...request.Option) (*awssm.CreateSecretOutput, error) {
+	ExecutionCounter      int
+	valFn                 map[string]func(*awssm.GetSecretValueInput) (*awssm.GetSecretValueOutput, error)
+	CreateSecretFn        CreateSecretFn
+	GetSecretValueFn      GetSecretValueFn
+	PutSecretValueFn      PutSecretValueFn
+	DescribeSecretFn      DescribeSecretFn
+	DeleteSecretFn        DeleteSecretFn
+	ListSecretsFn         ListSecretsFn
+	BatchGetSecretValueFn BatchGetSecretValueFn
+}
+type CreateSecretFn func(context.Context, *awssm.CreateSecretInput, ...func(*awssm.Options)) (*awssm.CreateSecretOutput, error)
+type GetSecretValueFn func(context.Context, *awssm.GetSecretValueInput, ...func(*awssm.Options)) (*awssm.GetSecretValueOutput, error)
+type PutSecretValueFn func(context.Context, *awssm.PutSecretValueInput, ...func(*awssm.Options)) (*awssm.PutSecretValueOutput, error)
+type DescribeSecretFn func(context.Context, *awssm.DescribeSecretInput, ...func(*awssm.Options)) (*awssm.DescribeSecretOutput, error)
+type DeleteSecretFn func(context.Context, *awssm.DeleteSecretInput, ...func(*awssm.Options)) (*awssm.DeleteSecretOutput, error)
+type ListSecretsFn func(context.Context, *awssm.ListSecretsInput, ...func(*awssm.Options)) (*awssm.ListSecretsOutput, error)
+type BatchGetSecretValueFn func(context.Context, *awssm.BatchGetSecretValueInput, ...func(*awssm.Options)) (*awssm.BatchGetSecretValueOutput, error)
+
+func (sm Client) CreateSecret(ctx context.Context, input *awssm.CreateSecretInput, options ...func(*awssm.Options)) (*awssm.CreateSecretOutput, error) {
+	return sm.CreateSecretFn(ctx, input, options...)
+}
+
+func NewCreateSecretFn(output *awssm.CreateSecretOutput, err error, expectedSecretBinary ...[]byte) CreateSecretFn {
+	return func(ctx context.Context, actualInput *awssm.CreateSecretInput, options ...func(*awssm.Options)) (*awssm.CreateSecretOutput, error) {
 		if *actualInput.ClientRequestToken != "00000000-0000-0000-0000-000000000001" {
 			return nil, errors.New("expected the version to be 1 at creation")
 		}
@@ -66,31 +66,27 @@ func NewCreateSecretWithContextFn(output *awssm.CreateSecretOutput, err error, e
 	}
 }
 
-func (sm Client) DeleteSecretWithContext(ctx aws.Context, input *awssm.DeleteSecretInput, opts ...request.Option) (*awssm.DeleteSecretOutput, error) {
-	return sm.DeleteSecretWithContextFn(ctx, input, opts...)
+func (sm Client) DeleteSecret(ctx context.Context, input *awssm.DeleteSecretInput, opts ...func(*awssm.Options)) (*awssm.DeleteSecretOutput, error) {
+	return sm.DeleteSecretFn(ctx, input, opts...)
 }
 
-func NewDeleteSecretWithContextFn(output *awssm.DeleteSecretOutput, err error) DeleteSecretWithContextFn {
-	return func(ctx aws.Context, input *awssm.DeleteSecretInput, opts ...request.Option) (*awssm.DeleteSecretOutput, error) {
+func NewDeleteSecretFn(output *awssm.DeleteSecretOutput, err error) DeleteSecretFn {
+	return func(ctx context.Context, input *awssm.DeleteSecretInput, opts ...func(*awssm.Options)) (*awssm.DeleteSecretOutput, error) {
 		if input.ForceDeleteWithoutRecovery != nil && *input.ForceDeleteWithoutRecovery {
-			output.SetDeletionDate(time.Now())
+			output.DeletionDate = ptr.To(time.Now())
 		}
 		return output, err
 	}
 }
 
-func (sm Client) GetSecretValueWithContext(ctx aws.Context, input *awssm.GetSecretValueInput, options ...request.Option) (*awssm.GetSecretValueOutput, error) {
-	return sm.GetSecretValueWithContextFn(ctx, input, options...)
-}
-
-func NewGetSecretValueWithContextFn(output *awssm.GetSecretValueOutput, err error) GetSecretValueWithContextFn {
-	return func(aws.Context, *awssm.GetSecretValueInput, ...request.Option) (*awssm.GetSecretValueOutput, error) {
+func NewGetSecretValueFn(output *awssm.GetSecretValueOutput, err error) GetSecretValueFn {
+	return func(ctx context.Context, input *awssm.GetSecretValueInput, options ...func(*awssm.Options)) (*awssm.GetSecretValueOutput, error) {
 		return output, err
 	}
 }
 
-func (sm Client) PutSecretValueWithContext(ctx aws.Context, input *awssm.PutSecretValueInput, options ...request.Option) (*awssm.PutSecretValueOutput, error) {
-	return sm.PutSecretValueWithContextFn(ctx, input, options...)
+func (sm Client) PutSecretValue(ctx context.Context, input *awssm.PutSecretValueInput, options ...func(*awssm.Options)) (*awssm.PutSecretValueOutput, error) {
+	return sm.PutSecretValueFn(ctx, input, options...)
 }
 
 type ExpectedPutSecretValueInput struct {
@@ -125,8 +121,8 @@ func (e ExpectedPutSecretValueInput) assertVersion(actualInput *awssm.PutSecretV
 	return nil
 }
 
-func NewPutSecretValueWithContextFn(output *awssm.PutSecretValueOutput, err error, expectedInput ...ExpectedPutSecretValueInput) PutSecretValueWithContextFn {
-	return func(actualContext aws.Context, actualInput *awssm.PutSecretValueInput, actualOptions ...request.Option) (*awssm.PutSecretValueOutput, error) {
+func NewPutSecretValueFn(output *awssm.PutSecretValueOutput, err error, expectedInput ...ExpectedPutSecretValueInput) PutSecretValueFn {
+	return func(ctx context.Context, actualInput *awssm.PutSecretValueInput, actualOptions ...func(*awssm.Options)) (*awssm.PutSecretValueOutput, error) {
 		if len(expectedInput) == 1 {
 			assertErr := expectedInput[0].assertEquals(actualInput)
 			if assertErr != nil {
@@ -137,12 +133,12 @@ func NewPutSecretValueWithContextFn(output *awssm.PutSecretValueOutput, err erro
 	}
 }
 
-func (sm Client) DescribeSecretWithContext(ctx aws.Context, input *awssm.DescribeSecretInput, options ...request.Option) (*awssm.DescribeSecretOutput, error) {
-	return sm.DescribeSecretWithContextFn(ctx, input, options...)
+func (sm Client) DescribeSecret(ctx context.Context, input *awssm.DescribeSecretInput, options ...func(*awssm.Options)) (*awssm.DescribeSecretOutput, error) {
+	return sm.DescribeSecretFn(ctx, input, options...)
 }
 
-func NewDescribeSecretWithContextFn(output *awssm.DescribeSecretOutput, err error) DescribeSecretWithContextFn {
-	return func(aws.Context, *awssm.DescribeSecretInput, ...request.Option) (*awssm.DescribeSecretOutput, error) {
+func NewDescribeSecretFn(output *awssm.DescribeSecretOutput, err error) DescribeSecretFn {
+	return func(ctx context.Context, input *awssm.DescribeSecretInput, options ...func(*awssm.Options)) (*awssm.DescribeSecretOutput, error) {
 		return output, err
 	}
 }
@@ -154,7 +150,11 @@ func NewClient() *Client {
 	}
 }
 
-func (sm *Client) GetSecretValue(in *awssm.GetSecretValueInput) (*awssm.GetSecretValueOutput, error) {
+func (sm *Client) GetSecretValue(ctx context.Context, in *awssm.GetSecretValueInput, options ...func(*awssm.Options)) (*awssm.GetSecretValueOutput, error) {
+	// check if there's a direct fake function for this input
+	if sm.GetSecretValueFn != nil {
+		return sm.GetSecretValueFn(ctx, in, options...)
+	}
 	sm.ExecutionCounter++
 	if entry, found := sm.valFn[sm.cacheKeyForInput(in)]; found {
 		return entry(in)
@@ -162,12 +162,12 @@ func (sm *Client) GetSecretValue(in *awssm.GetSecretValueInput) (*awssm.GetSecre
 	return nil, errors.New("test case not found")
 }
 
-func (sm *Client) ListSecrets(input *awssm.ListSecretsInput) (*awssm.ListSecretsOutput, error) {
-	return sm.ListSecretsFn(nil, input)
+func (sm *Client) ListSecrets(ctx context.Context, input *awssm.ListSecretsInput, options ...func(*awssm.Options)) (*awssm.ListSecretsOutput, error) {
+	return sm.ListSecretsFn(ctx, input, options...)
 }
 
-func (sm *Client) BatchGetSecretValueWithContext(_ aws.Context, in *awssm.BatchGetSecretValueInput, _ ...request.Option) (*awssm.BatchGetSecretValueOutput, error) {
-	return sm.BatchGetSecretValueWithContextFn(nil, in)
+func (sm *Client) BatchGetSecretValue(ctx context.Context, in *awssm.BatchGetSecretValueInput, options ...func(*awssm.Options)) (*awssm.BatchGetSecretValueOutput, error) {
+	return sm.BatchGetSecretValueFn(ctx, in, options...)
 }
 
 func (sm *Client) cacheKeyForInput(in *awssm.GetSecretValueInput) string {
@@ -183,7 +183,7 @@ func (sm *Client) cacheKeyForInput(in *awssm.GetSecretValueInput) string {
 
 func (sm *Client) WithValue(in *awssm.GetSecretValueInput, val *awssm.GetSecretValueOutput, err error) {
 	sm.valFn[sm.cacheKeyForInput(in)] = func(paramIn *awssm.GetSecretValueInput) (*awssm.GetSecretValueOutput, error) {
-		if !cmp.Equal(paramIn, in) {
+		if !cmp.Equal(paramIn, in, cmpopts.IgnoreUnexported(awssm.GetSecretValueInput{})) {
 			return nil, errors.New("unexpected test argument")
 		}
 		return val, err

pkg/provider/aws/secretsmanager/resolver.go

@@ -0,0 +1,48 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package secretsmanager
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+	"os"
+
+	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
+	smithyendpoints "github.com/aws/smithy-go/endpoints"
+)
+
+const (
+	SecretsManagerEndpointEnv = "AWS_SECRETSMANAGER_ENDPOINT"
+)
+
+type customEndpointResolver struct{}
+
+// ResolveEndpoint returns a ResolverFunc with
+// customizable endpoints.
+
+func (c customEndpointResolver) ResolveEndpoint(ctx context.Context, params secretsmanager.EndpointParameters) (smithyendpoints.Endpoint, error) {
+	endpoint := smithyendpoints.Endpoint{}
+	if v := os.Getenv(SecretsManagerEndpointEnv); v != "" {
+		url, err := url.Parse(v)
+		if err != nil {
+			return endpoint, fmt.Errorf("failed to parse secretsmanager endpoint %s: %w", v, err)
+		}
+		endpoint.URI = *url
+		return endpoint, nil
+	}
+	defaultResolver := secretsmanager.NewDefaultEndpointResolverV2()
+	return defaultResolver.ResolveEndpoint(ctx, params)
+}

pkg/provider/aws/secretsmanager/secretsmanager.go

@@ -24,11 +24,10 @@ import (
 	"slices"
 	"strings"
 
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/awserr"
-	"github.com/aws/aws-sdk-go/aws/request"
-	"github.com/aws/aws-sdk-go/aws/session"
-	awssm "github.com/aws/aws-sdk-go/service/secretsmanager"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	awssm "github.com/aws/aws-sdk-go-v2/service/secretsmanager"
+	"github.com/aws/aws-sdk-go-v2/service/secretsmanager/types"
+	"github.com/aws/smithy-go"
 	"github.com/google/uuid"
 	"github.com/tidwall/gjson"
 	"github.com/tidwall/sjson"
@@ -55,9 +54,10 @@ type PushSecretMetadataSpec struct {
 
 // Declares metadata information for pushing secrets to AWS Secret Store.
 const (
-	SecretPushFormatKey    = "secretPushFormat"
-	SecretPushFormatString = "string"
-	SecretPushFormatBinary = "binary"
+	SecretPushFormatKey       = "secretPushFormat"
+	SecretPushFormatString    = "string"
+	SecretPushFormatBinary    = "binary"
+	ResourceNotFoundException = "ResourceNotFoundException"
 )
 
 // https://github.com/external-secrets/external-secrets/issues/644
@@ -65,8 +65,8 @@ var _ esv1.SecretsClient = &SecretsManager{}
 
 // SecretsManager is a provider for AWS SecretsManager.
 type SecretsManager struct {
-	sess         *session.Session
-	client       SMInterface
+	cfg          *aws.Config
+	client       SMInterface // Keep the interface
 	referentAuth bool
 	cache        map[string]*awssm.GetSecretValueOutput
 	config       *esv1.SecretsManager
@@ -76,14 +76,13 @@ type SecretsManager struct {
 // SMInterface is a subset of the smiface api.
 // see: https://docs.aws.amazon.com/sdk-for-go/api/service/secretsmanager/secretsmanageriface/
 type SMInterface interface {
-	BatchGetSecretValueWithContext(aws.Context, *awssm.BatchGetSecretValueInput, ...request.Option) (*awssm.BatchGetSecretValueOutput, error)
-	ListSecrets(*awssm.ListSecretsInput) (*awssm.ListSecretsOutput, error)
-	GetSecretValue(*awssm.GetSecretValueInput) (*awssm.GetSecretValueOutput, error)
-	CreateSecretWithContext(aws.Context, *awssm.CreateSecretInput, ...request.Option) (*awssm.CreateSecretOutput, error)
-	GetSecretValueWithContext(aws.Context, *awssm.GetSecretValueInput, ...request.Option) (*awssm.GetSecretValueOutput, error)
-	PutSecretValueWithContext(aws.Context, *awssm.PutSecretValueInput, ...request.Option) (*awssm.PutSecretValueOutput, error)
-	DescribeSecretWithContext(aws.Context, *awssm.DescribeSecretInput, ...request.Option) (*awssm.DescribeSecretOutput, error)
-	DeleteSecretWithContext(ctx aws.Context, input *awssm.DeleteSecretInput, opts ...request.Option) (*awssm.DeleteSecretOutput, error)
+	BatchGetSecretValue(ctx context.Context, params *awssm.BatchGetSecretValueInput, optFuncs ...func(*awssm.Options)) (*awssm.BatchGetSecretValueOutput, error)
+	ListSecrets(ctx context.Context, params *awssm.ListSecretsInput, optFuncs ...func(*awssm.Options)) (*awssm.ListSecretsOutput, error)
+	GetSecretValue(ctx context.Context, params *awssm.GetSecretValueInput, optFuncs ...func(*awssm.Options)) (*awssm.GetSecretValueOutput, error)
+	CreateSecret(ctx context.Context, params *awssm.CreateSecretInput, optFuncs ...func(*awssm.Options)) (*awssm.CreateSecretOutput, error)
+	PutSecretValue(ctx context.Context, params *awssm.PutSecretValueInput, optFuncs ...func(*awssm.Options)) (*awssm.PutSecretValueOutput, error)
+	DescribeSecret(ctx context.Context, params *awssm.DescribeSecretInput, optFuncs ...func(*awssm.Options)) (*awssm.DescribeSecretOutput, error)
+	DeleteSecret(ctx context.Context, params *awssm.DeleteSecretInput, optFuncs ...func(*awssm.Options)) (*awssm.DeleteSecretOutput, error)
 }
 
 const (
@@ -96,10 +95,12 @@ const (
 var log = ctrl.Log.WithName("provider").WithName("aws").WithName("secretsmanager")
 
 // New creates a new SecretsManager client.
-func New(sess *session.Session, cfg *aws.Config, secretsManagerCfg *esv1.SecretsManager, prefix string, referentAuth bool) (*SecretsManager, error) {
+func New(ctx context.Context, cfg *aws.Config, secretsManagerCfg *esv1.SecretsManager, prefix string, referentAuth bool) (*SecretsManager, error) {
 	return &SecretsManager{
-		sess:         sess,
-		client:       awssm.New(sess, cfg),
+		cfg: cfg,
+		client: awssm.NewFromConfig(*cfg, func(o *awssm.Options) {
+			o.EndpointResolverV2 = customEndpointResolver{}
+		}),
 		referentAuth: referentAuth,
 		cache:        make(map[string]*awssm.GetSecretValueOutput),
 		config:       secretsManagerCfg,
@@ -144,19 +145,19 @@ func (sm *SecretsManager) DeleteSecret(ctx context.Context, remoteRef esv1.PushS
 	secretInput := awssm.DescribeSecretInput{
 		SecretId: &secretName,
 	}
-	awsSecret, err := sm.client.GetSecretValueWithContext(ctx, &secretValue)
+	awsSecret, err := sm.client.GetSecretValue(ctx, &secretValue)
 	metrics.ObserveAPICall(constants.ProviderAWSSM, constants.CallAWSSMGetSecretValue, err)
-	var aerr awserr.Error
+	var aerr smithy.APIError
 	if err != nil {
 		if ok := errors.As(err, &aerr); !ok {
 			return err
 		}
-		if aerr.Code() == awssm.ErrCodeResourceNotFoundException {
+		if aerr.ErrorCode() == ResourceNotFoundException {
 			return nil
 		}
 		return err
 	}
-	data, err := sm.client.DescribeSecretWithContext(ctx, &secretInput)
+	data, err := sm.client.DescribeSecret(ctx, &secretInput)
 	metrics.ObserveAPICall(constants.ProviderAWSSM, constants.CallAWSSMDescribeSecret, err)
 	if err != nil {
 		return err
@@ -177,7 +178,7 @@ func (sm *SecretsManager) DeleteSecret(ctx context.Context, remoteRef esv1.PushS
 	if err != nil {
 		return err
 	}
-	_, err = sm.client.DeleteSecretWithContext(ctx, deleteInput)
+	_, err = sm.client.DeleteSecret(ctx, deleteInput)
 	metrics.ObserveAPICall(constants.ProviderAWSSM, constants.CallAWSSMDeleteSecret, err)
 	return err
 }
@@ -187,7 +188,7 @@ func (sm *SecretsManager) SecretExists(ctx context.Context, pushSecretRef esv1.P
 	secretValue := awssm.GetSecretValueInput{
 		SecretId: &secretName,
 	}
-	_, err := sm.client.GetSecretValueWithContext(ctx, &secretValue)
+	_, err := sm.client.GetSecretValue(ctx, &secretValue)
 	if err != nil {
 		return sm.handleSecretError(err)
 	}
@@ -195,11 +196,11 @@ func (sm *SecretsManager) SecretExists(ctx context.Context, pushSecretRef esv1.P
 }
 
 func (sm *SecretsManager) handleSecretError(err error) (bool, error) {
-	var aerr awserr.Error
+	var aerr smithy.APIError
 	if ok := errors.As(err, &aerr); !ok {
 		return false, err
 	}
-	if aerr.Code() == awssm.ErrCodeResourceNotFoundException {
+	if aerr.ErrorCode() == ResourceNotFoundException {
 		return false, nil
 	}
 	return false, err
@@ -220,7 +221,7 @@ func (sm *SecretsManager) PushSecret(ctx context.Context, secret *corev1.Secret,
 		SecretId: &secretName,
 	}
 
-	awsSecret, err := sm.client.GetSecretValueWithContext(ctx, &secretValue)
+	awsSecret, err := sm.client.GetSecretValue(ctx, &secretValue)
 	metrics.ObserveAPICall(constants.ProviderAWSSM, constants.CallAWSSMGetSecretValue, err)
 
 	if psd.GetProperty() != "" {
@@ -231,13 +232,13 @@ func (sm *SecretsManager) PushSecret(ctx context.Context, secret *corev1.Secret,
 		value, _ = sjson.SetBytes([]byte(currentSecret), psd.GetProperty(), value)
 	}
 
-	var aerr awserr.Error
+	var aerr smithy.APIError
 	if err != nil {
 		if ok := errors.As(err, &aerr); !ok {
 			return err
 		}
 
-		if aerr.Code() == awssm.ErrCodeResourceNotFoundException {
+		if aerr.ErrorCode() == ResourceNotFoundException {
 			return sm.createSecretWithContext(ctx, secretName, psd, value)
 		}
 
@@ -310,12 +311,12 @@ func (sm *SecretsManager) findByName(ctx context.Context, ref esv1.ExternalSecre
 		return nil, err
 	}
 
-	filters := make([]*awssm.Filter, 0)
+	filters := make([]types.Filter, 0)
 	if ref.Path != nil {
-		filters = append(filters, &awssm.Filter{
-			Key: utilpointer.To(awssm.FilterNameStringTypeName),
-			Values: []*string{
-				ref.Path,
+		filters = append(filters, types.Filter{
+			Key: types.FilterNameStringTypeName,
+			Values: []string{
+				*ref.Path,
 			},
 		})
 
@@ -328,7 +329,7 @@ func (sm *SecretsManager) findByName(ctx context.Context, ref esv1.ExternalSecre
 	for {
 		// I put this into the for loop on purpose.
 		log.V(0).Info("using ListSecret to fetch all secrets; this is a costly operations, please use batching by defining a _path_")
-		it, err := sm.client.ListSecrets(&awssm.ListSecretsInput{
+		it, err := sm.client.ListSecrets(ctx, &awssm.ListSecretsInput{
 			Filters:   filters,
 			NextToken: nextToken,
 		})
@@ -355,26 +356,26 @@ func (sm *SecretsManager) findByName(ctx context.Context, ref esv1.ExternalSecre
 }
 
 func (sm *SecretsManager) findByTags(ctx context.Context, ref esv1.ExternalSecretFind) (map[string][]byte, error) {
-	filters := make([]*awssm.Filter, 0)
+	filters := make([]types.Filter, 0)
 	for k, v := range ref.Tags {
-		filters = append(filters, &awssm.Filter{
-			Key: utilpointer.To(awssm.FilterNameStringTypeTagKey),
-			Values: []*string{
-				utilpointer.To(k),
+		filters = append(filters, types.Filter{
+			Key: types.FilterNameStringTypeTagKey,
+			Values: []string{
+				k,
 			},
-		}, &awssm.Filter{
-			Key: utilpointer.To(awssm.FilterNameStringTypeTagValue),
-			Values: []*string{
-				utilpointer.To(v),
+		}, types.Filter{
+			Key: types.FilterNameStringTypeTagValue,
+			Values: []string{
+				v,
 			},
 		})
 	}
 
 	if ref.Path != nil {
-		filters = append(filters, &awssm.Filter{
-			Key: utilpointer.To(awssm.FilterNameStringTypeName),
-			Values: []*string{
-				ref.Path,
+		filters = append(filters, types.Filter{
+			Key: types.FilterNameStringTypeName,
+			Values: []string{
+				*ref.Path,
 			},
 		})
 	}
@@ -431,6 +432,10 @@ func (sm *SecretsManager) mapSecretToGjson(secretOut *awssm.GetSecretValueOutput
 }
 
 func (sm *SecretsManager) retrievePayload(secretOut *awssm.GetSecretValueOutput) string {
+	if secretOut == nil {
+		return ""
+	}
+
 	var payload string
 	if secretOut.SecretString != nil {
 		payload = *secretOut.SecretString
@@ -490,10 +495,11 @@ func (sm *SecretsManager) Validate() (esv1.ValidationResult, error) {
 	if sm.referentAuth {
 		return esv1.ValidationResultUnknown, nil
 	}
-	_, err := sm.sess.Config.Credentials.Get()
+	_, err := sm.cfg.Credentials.Retrieve(context.Background())
 	if err != nil {
 		return esv1.ValidationResultError, util.SanitizeErr(err)
 	}
+
 	return esv1.ValidationResultReady, nil
 }
 
@@ -507,7 +513,7 @@ func (sm *SecretsManager) createSecretWithContext(ctx context.Context, secretNam
 		return fmt.Errorf("failed to parse push secret metadata: %w", err)
 	}
 
-	tags := []*awssm.Tag{
+	tags := []types.Tag{
 		{
 			Key:   utilpointer.To(managedBy),
 			Value: utilpointer.To(externalSecrets),
@@ -515,7 +521,7 @@ func (sm *SecretsManager) createSecretWithContext(ctx context.Context, secretNam
 	}
 
 	for k, v := range mdata.Spec.Tags {
-		tags = append(tags, &awssm.Tag{
+		tags = append(tags, types.Tag{
 			Key:   utilpointer.To(k),
 			Value: utilpointer.To(v),
 		})
@@ -530,22 +536,18 @@ func (sm *SecretsManager) createSecretWithContext(ctx context.Context, secretNam
 		KmsKeyId:           utilpointer.To(mdata.Spec.KMSKeyID),
 	}
 	if mdata.Spec.SecretPushFormat == SecretPushFormatString {
-		input.SetSecretBinary(nil).SetSecretString(string(value))
-	}
-
-	err = input.Validate()
-	if err != nil {
-		return fmt.Errorf("failed to validate input: %w", err)
+		input.SecretBinary = nil
+		input.SecretString = aws.String(string(value))
 	}
 
-	_, err = sm.client.CreateSecretWithContext(ctx, input)
+	_, err = sm.client.CreateSecret(ctx, input)
 	metrics.ObserveAPICall(constants.ProviderAWSSM, constants.CallAWSSMCreateSecret, err)
 
 	return err
 }
 
 func (sm *SecretsManager) putSecretValueWithContext(ctx context.Context, secretInput awssm.DescribeSecretInput, awsSecret *awssm.GetSecretValueOutput, psd esv1.PushSecretData, value []byte) error {
-	data, err := sm.client.DescribeSecretWithContext(ctx, &secretInput)
+	data, err := sm.client.DescribeSecret(ctx, &secretInput)
 	metrics.ObserveAPICall(constants.ProviderAWSSM, constants.CallAWSSMDescribeSecret, err)
 	if err != nil {
 		return err
@@ -571,21 +573,22 @@ func (sm *SecretsManager) putSecretValueWithContext(ctx context.Context, secretI
 		return fmt.Errorf("failed to parse metadata: %w", err)
 	}
 	if secretPushFormat == SecretPushFormatString {
-		input.SetSecretBinary(nil).SetSecretString(string(value))
+		input.SecretBinary = nil
+		input.SecretString = aws.String(string(value))
 	}
 
-	_, err = sm.client.PutSecretValueWithContext(ctx, input)
+	_, err = sm.client.PutSecretValue(ctx, input)
 	metrics.ObserveAPICall(constants.ProviderAWSSM, constants.CallAWSSMPutSecretValue, err)
 
 	return err
 }
 
-func (sm *SecretsManager) fetchWithBatch(ctx context.Context, filters []*awssm.Filter, matcher *find.Matcher) (map[string][]byte, error) {
+func (sm *SecretsManager) fetchWithBatch(ctx context.Context, filters []types.Filter, matcher *find.Matcher) (map[string][]byte, error) {
 	data := make(map[string][]byte)
 	var nextToken *string
 
 	for {
-		it, err := sm.client.BatchGetSecretValueWithContext(ctx, &awssm.BatchGetSecretValueInput{
+		it, err := sm.client.BatchGetSecretValue(ctx, &awssm.BatchGetSecretValueInput{
 			Filters:   filters,
 			NextToken: nextToken,
 		})
@@ -600,7 +603,7 @@ func (sm *SecretsManager) fetchWithBatch(ctx context.Context, filters []*awssm.F
 			}
 			log.V(1).Info("aws sm findByName matches", "name", *secret.Name)
 
-			sm.setSecretValues(secret, data)
+			sm.setSecretValues(&secret, data)
 		}
 		nextToken = it.NextToken
 		if nextToken == nil {
@@ -611,7 +614,7 @@ func (sm *SecretsManager) fetchWithBatch(ctx context.Context, filters []*awssm.F
 	return data, nil
 }
 
-func (sm *SecretsManager) setSecretValues(secret *awssm.SecretValueEntry, data map[string][]byte) {
+func (sm *SecretsManager) setSecretValues(secret *types.SecretValueEntry, data map[string][]byte) {
 	if secret.SecretString != nil {
 		data[*secret.Name] = []byte(*secret.SecretString)
 	}
@@ -626,7 +629,7 @@ func (sm *SecretsManager) constructSecretValue(ctx context.Context, key, ver str
 			SecretId: &key,
 		}
 
-		descOutput, err := sm.client.DescribeSecretWithContext(ctx, describeSecretInput)
+		descOutput, err := sm.client.DescribeSecret(ctx, describeSecretInput)
 		if err != nil {
 			return nil, err
 		}
@@ -658,11 +661,11 @@ func (sm *SecretsManager) constructSecretValue(ctx context.Context, key, ver str
 			VersionStage: &ver,
 		}
 	}
-	secretOut, err := sm.client.GetSecretValue(getSecretValueInput)
+	secretOut, err := sm.client.GetSecretValue(ctx, getSecretValueInput)
 	metrics.ObserveAPICall(constants.ProviderAWSSM, constants.CallAWSSMGetSecretValue, err)
 	var (
-		nf *awssm.ResourceNotFoundException
-		ie *awssm.InvalidRequestException
+		nf *types.ResourceNotFoundException
+		ie *types.InvalidParameterException
 	)
 	if errors.As(err, &nf) {
 		return nil, esv1.NoSecretErr

pkg/provider/aws/secretsmanager/secretsmanager_test.go

@@ -23,12 +23,10 @@ import (
 	"testing"
 	"time"
 
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/awserr"
-	"github.com/aws/aws-sdk-go/aws/credentials"
-	"github.com/aws/aws-sdk-go/aws/request"
-	"github.com/aws/aws-sdk-go/aws/session"
-	awssm "github.com/aws/aws-sdk-go/service/secretsmanager"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/credentials"
+	awssm "github.com/aws/aws-sdk-go-v2/service/secretsmanager"
+	"github.com/aws/aws-sdk-go-v2/service/secretsmanager/types"
 	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
@@ -117,6 +115,18 @@ var setAPIErr = func(smtc *secretsManagerTestCase) {
 	smtc.expectError = "oh no"
 }
 
+func TestSecretsManagerResolver(t *testing.T) {
+	endpointEnvKey := SecretsManagerEndpointEnv
+	endpointURL := "http://sm.foo"
+
+	t.Setenv(endpointEnvKey, endpointURL)
+
+	f, err := customEndpointResolver{}.ResolveEndpoint(context.Background(), awssm.EndpointParameters{})
+
+	assert.Nil(t, err)
+	assert.Equal(t, endpointURL, f.URI.String())
+}
+
 // test the sm<->aws interface
 // make sure correct values are passed and errors are handled accordingly.
 func TestSecretsManagerGetSecret(t *testing.T) {
@@ -209,7 +219,7 @@ func TestSecretsManagerGetSecret(t *testing.T) {
 		describeSecretOutput := &awssm.DescribeSecretOutput{
 			Tags: getTagSlice(),
 		}
-		smtc.fakeClient.DescribeSecretWithContextFn = fakesm.NewDescribeSecretWithContextFn(describeSecretOutput, nil)
+		smtc.fakeClient.DescribeSecretFn = fakesm.NewDescribeSecretFn(describeSecretOutput, nil)
 		jsonTags, _ := util.SecretTagsToJSONString(getTagSlice())
 		smtc.apiOutput.SecretString = &jsonTags
 		smtc.expectedSecret = jsonTags
@@ -220,7 +230,7 @@ func TestSecretsManagerGetSecret(t *testing.T) {
 		describeSecretOutput := &awssm.DescribeSecretOutput{
 			Tags: getTagSlice(),
 		}
-		smtc.fakeClient.DescribeSecretWithContextFn = fakesm.NewDescribeSecretWithContextFn(describeSecretOutput, nil)
+		smtc.fakeClient.DescribeSecretFn = fakesm.NewDescribeSecretFn(describeSecretOutput, nil)
 		smtc.remoteRef.Property = tagname2
 		jsonTags, _ := util.SecretTagsToJSONString(getTagSlice())
 		smtc.apiOutput.SecretString = &jsonTags
@@ -232,7 +242,7 @@ func TestSecretsManagerGetSecret(t *testing.T) {
 		describeSecretOutput := &awssm.DescribeSecretOutput{
 			Tags: getTagSlice(),
 		}
-		smtc.fakeClient.DescribeSecretWithContextFn = fakesm.NewDescribeSecretWithContextFn(describeSecretOutput, nil)
+		smtc.fakeClient.DescribeSecretFn = fakesm.NewDescribeSecretFn(describeSecretOutput, nil)
 		smtc.remoteRef.Property = "fail"
 		jsonTags, _ := util.SecretTagsToJSONString(getTagSlice())
 		smtc.apiOutput.SecretString = &jsonTags
@@ -403,14 +413,14 @@ func TestSetSecret(t *testing.T) {
 	noPermission := errors.New("no permission")
 	arn := "arn:aws:secretsmanager:us-east-1:702902267788:secret:foo-bar5-Robbgh"
 
-	getSecretCorrectErr := awssm.ResourceNotFoundException{}
-	getSecretWrongErr := awssm.InvalidRequestException{}
+	getSecretCorrectErr := types.ResourceNotFoundException{}
+	getSecretWrongErr := types.InvalidRequestException{}
 
 	secretOutput := &awssm.CreateSecretOutput{
 		ARN: &arn,
 	}
 
-	externalSecretsTag := []*awssm.Tag{
+	externalSecretsTag := []types.Tag{
 		{
 			Key:   &managedBy,
 			Value: &externalSecrets,
@@ -421,7 +431,7 @@ func TestSetSecret(t *testing.T) {
 		},
 	}
 
-	externalSecretsTagFaulty := []*awssm.Tag{
+	externalSecretsTagFaulty := []types.Tag{
 		{
 			Key:   &notManagedBy,
 			Value: &externalSecrets,
@@ -513,10 +523,10 @@ func TestSetSecret(t *testing.T) {
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(secretValueOutput, nil),
-					CreateSecretWithContextFn:   fakesm.NewCreateSecretWithContextFn(secretOutput, nil),
-					PutSecretValueWithContextFn: fakesm.NewPutSecretValueWithContextFn(putSecretOutput, nil),
-					DescribeSecretWithContextFn: fakesm.NewDescribeSecretWithContextFn(tagSecretOutput, nil),
+					GetSecretValueFn: fakesm.NewGetSecretValueFn(secretValueOutput, nil),
+					CreateSecretFn:   fakesm.NewCreateSecretFn(secretOutput, nil),
+					PutSecretValueFn: fakesm.NewPutSecretValueFn(putSecretOutput, nil),
+					DescribeSecretFn: fakesm.NewDescribeSecretFn(tagSecretOutput, nil),
 				},
 				pushSecretData: pushSecretDataWithoutProperty,
 			},
@@ -529,10 +539,10 @@ func TestSetSecret(t *testing.T) {
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(secretValueOutput, nil),
-					CreateSecretWithContextFn:   fakesm.NewCreateSecretWithContextFn(secretOutput, nil),
-					PutSecretValueWithContextFn: fakesm.NewPutSecretValueWithContextFn(putSecretOutput, nil),
-					DescribeSecretWithContextFn: fakesm.NewDescribeSecretWithContextFn(tagSecretOutput, nil),
+					GetSecretValueFn: fakesm.NewGetSecretValueFn(secretValueOutput, nil),
+					CreateSecretFn:   fakesm.NewCreateSecretFn(secretOutput, nil),
+					PutSecretValueFn: fakesm.NewPutSecretValueFn(putSecretOutput, nil),
+					DescribeSecretFn: fakesm.NewDescribeSecretFn(tagSecretOutput, nil),
 				},
 				pushSecretData: pushSecretDataWithoutSecretKey,
 			},
@@ -545,10 +555,10 @@ func TestSetSecret(t *testing.T) {
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(secretValueOutput, nil),
-					CreateSecretWithContextFn:   fakesm.NewCreateSecretWithContextFn(secretOutput, nil),
-					PutSecretValueWithContextFn: fakesm.NewPutSecretValueWithContextFn(putSecretOutput, nil),
-					DescribeSecretWithContextFn: fakesm.NewDescribeSecretWithContextFn(tagSecretOutput, nil),
+					GetSecretValueFn: fakesm.NewGetSecretValueFn(secretValueOutput, nil),
+					CreateSecretFn:   fakesm.NewCreateSecretFn(secretOutput, nil),
+					PutSecretValueFn: fakesm.NewPutSecretValueFn(putSecretOutput, nil),
+					DescribeSecretFn: fakesm.NewDescribeSecretFn(tagSecretOutput, nil),
 				},
 				pushSecretData: pushSecretDataWithMetadata,
 			},
@@ -561,10 +571,10 @@ func TestSetSecret(t *testing.T) {
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(secretValueOutput, &getSecretCorrectErr),
-					CreateSecretWithContextFn:   fakesm.NewCreateSecretWithContextFn(secretOutput, nil),
-					PutSecretValueWithContextFn: fakesm.NewPutSecretValueWithContextFn(putSecretOutput, nil),
-					DescribeSecretWithContextFn: fakesm.NewDescribeSecretWithContextFn(tagSecretOutput, nil),
+					GetSecretValueFn: fakesm.NewGetSecretValueFn(secretValueOutput, &getSecretCorrectErr),
+					CreateSecretFn:   fakesm.NewCreateSecretFn(secretOutput, nil),
+					PutSecretValueFn: fakesm.NewPutSecretValueFn(putSecretOutput, nil),
+					DescribeSecretFn: fakesm.NewDescribeSecretFn(tagSecretOutput, nil),
 				},
 				pushSecretData: fake.PushSecretData{SecretKey: secretKey, RemoteKey: fakeKey, Property: "", Metadata: &apiextensionsv1.JSON{
 					Raw: []byte(`{
@@ -585,10 +595,10 @@ func TestSetSecret(t *testing.T) {
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(secretValueOutput, nil),
-					CreateSecretWithContextFn:   fakesm.NewCreateSecretWithContextFn(secretOutput, nil),
-					PutSecretValueWithContextFn: fakesm.NewPutSecretValueWithContextFn(putSecretOutput, nil),
-					DescribeSecretWithContextFn: fakesm.NewDescribeSecretWithContextFn(tagSecretOutput, nil),
+					GetSecretValueFn: fakesm.NewGetSecretValueFn(secretValueOutput, nil),
+					CreateSecretFn:   fakesm.NewCreateSecretFn(secretOutput, nil),
+					PutSecretValueFn: fakesm.NewPutSecretValueFn(putSecretOutput, nil),
+					DescribeSecretFn: fakesm.NewDescribeSecretFn(tagSecretOutput, nil),
 				},
 				pushSecretData: fake.PushSecretData{SecretKey: secretKey, RemoteKey: fakeKey, Property: "", Metadata: &apiextensionsv1.JSON{
 					Raw: []byte(`{
@@ -608,8 +618,8 @@ func TestSetSecret(t *testing.T) {
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(blankSecretValueOutput, &getSecretCorrectErr),
-					CreateSecretWithContextFn:   fakesm.NewCreateSecretWithContextFn(secretOutput, nil),
+					GetSecretValueFn: fakesm.NewGetSecretValueFn(blankSecretValueOutput, &getSecretCorrectErr),
+					CreateSecretFn:   fakesm.NewCreateSecretFn(secretOutput, nil),
 				},
 				pushSecretData: pushSecretDataWithoutProperty,
 			},
@@ -622,8 +632,8 @@ func TestSetSecret(t *testing.T) {
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(blankSecretValueOutput, &getSecretCorrectErr),
-					CreateSecretWithContextFn:   fakesm.NewCreateSecretWithContextFn(secretOutput, nil, []byte(`{"other-fake-property":"fake-value"}`)),
+					GetSecretValueFn: fakesm.NewGetSecretValueFn(blankSecretValueOutput, &getSecretCorrectErr),
+					CreateSecretFn:   fakesm.NewCreateSecretFn(secretOutput, nil, []byte(`{"other-fake-property":"fake-value"}`)),
 				},
 				pushSecretData: pushSecretDataWithProperty,
 			},
@@ -636,9 +646,9 @@ func TestSetSecret(t *testing.T) {
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(secretValueOutputFrom(params{b: []byte((`{"fake-property":"fake-value"}`))}), nil),
-					DescribeSecretWithContextFn: fakesm.NewDescribeSecretWithContextFn(tagSecretOutput, nil),
-					PutSecretValueWithContextFn: fakesm.NewPutSecretValueWithContextFn(putSecretOutput, nil, fakesm.ExpectedPutSecretValueInput{
+					GetSecretValueFn: fakesm.NewGetSecretValueFn(secretValueOutputFrom(params{b: []byte((`{"fake-property":"fake-value"}`))}), nil),
+					DescribeSecretFn: fakesm.NewDescribeSecretFn(tagSecretOutput, nil),
+					PutSecretValueFn: fakesm.NewPutSecretValueFn(putSecretOutput, nil, fakesm.ExpectedPutSecretValueInput{
 						SecretBinary: []byte(`{"fake-property":"fake-value","other-fake-property":"fake-value"}`),
 						Version:      &defaultUpdatedVersion,
 					}),
@@ -654,12 +664,12 @@ func TestSetSecret(t *testing.T) {
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(secretValueOutputFrom(params{
+					GetSecretValueFn: fakesm.NewGetSecretValueFn(secretValueOutputFrom(params{
 						b:       []byte((`{"fake-property":"fake-value"}`)),
 						version: &randomUUIDVersion,
 					}), nil),
-					DescribeSecretWithContextFn: fakesm.NewDescribeSecretWithContextFn(tagSecretOutput, nil),
-					PutSecretValueWithContextFn: fakesm.NewPutSecretValueWithContextFn(putSecretOutput, nil, fakesm.ExpectedPutSecretValueInput{
+					DescribeSecretFn: fakesm.NewDescribeSecretFn(tagSecretOutput, nil),
+					PutSecretValueFn: fakesm.NewPutSecretValueFn(putSecretOutput, nil, fakesm.ExpectedPutSecretValueInput{
 						SecretBinary: []byte(`{"fake-property":"fake-value","other-fake-property":"fake-value"}`),
 						Version:      &randomUUIDVersionIncremented,
 					}),
@@ -675,12 +685,12 @@ func TestSetSecret(t *testing.T) {
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(secretValueOutputFrom(params{
+					GetSecretValueFn: fakesm.NewGetSecretValueFn(secretValueOutputFrom(params{
 						b:       []byte((`{"fake-property":"fake-value"}`)),
 						version: &unparsableVersion,
 					}), nil),
-					DescribeSecretWithContextFn: fakesm.NewDescribeSecretWithContextFn(tagSecretOutput, nil),
-					PutSecretValueWithContextFn: fakesm.NewPutSecretValueWithContextFn(putSecretOutput, nil, fakesm.ExpectedPutSecretValueInput{
+					DescribeSecretFn: fakesm.NewDescribeSecretFn(tagSecretOutput, nil),
+					PutSecretValueFn: fakesm.NewPutSecretValueFn(putSecretOutput, nil, fakesm.ExpectedPutSecretValueInput{
 						SecretBinary: []byte(`{"fake-property":"fake-value","other-fake-property":"fake-value"}`),
 						Version:      &initialVersion,
 					}),
@@ -696,12 +706,12 @@ func TestSetSecret(t *testing.T) {
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(&awssm.GetSecretValueOutput{
+					GetSecretValueFn: fakesm.NewGetSecretValueFn(&awssm.GetSecretValueOutput{
 						ARN:          &arn,
 						SecretBinary: []byte((`{"fake-property":"fake-value"}`)),
 					}, nil),
-					DescribeSecretWithContextFn: fakesm.NewDescribeSecretWithContextFn(tagSecretOutput, nil),
-					PutSecretValueWithContextFn: fakesm.NewPutSecretValueWithContextFn(putSecretOutput, nil, fakesm.ExpectedPutSecretValueInput{
+					DescribeSecretFn: fakesm.NewDescribeSecretFn(tagSecretOutput, nil),
+					PutSecretValueFn: fakesm.NewPutSecretValueFn(putSecretOutput, nil, fakesm.ExpectedPutSecretValueInput{
 						SecretBinary: []byte(`{"fake-property":"fake-value","other-fake-property":"fake-value"}`),
 						Version:      &initialVersion,
 					}),
@@ -717,9 +727,9 @@ func TestSetSecret(t *testing.T) {
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(secretValueOutputFrom(params{s: `{"fake-property":"fake-value"}`}), nil),
-					DescribeSecretWithContextFn: fakesm.NewDescribeSecretWithContextFn(tagSecretOutput, nil),
-					PutSecretValueWithContextFn: fakesm.NewPutSecretValueWithContextFn(putSecretOutput, nil, fakesm.ExpectedPutSecretValueInput{
+					GetSecretValueFn: fakesm.NewGetSecretValueFn(secretValueOutputFrom(params{s: `{"fake-property":"fake-value"}`}), nil),
+					DescribeSecretFn: fakesm.NewDescribeSecretFn(tagSecretOutput, nil),
+					PutSecretValueFn: fakesm.NewPutSecretValueFn(putSecretOutput, nil, fakesm.ExpectedPutSecretValueInput{
 						SecretBinary: []byte(`{"fake-property":"fake-value","other-fake-property":"fake-value"}`),
 						Version:      &defaultUpdatedVersion,
 					}),
@@ -735,9 +745,9 @@ func TestSetSecret(t *testing.T) {
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(secretValueOutputFrom(params{s: `{"fake-property":{"fake-property":"fake-value"}}`}), nil),
-					DescribeSecretWithContextFn: fakesm.NewDescribeSecretWithContextFn(tagSecretOutput, nil),
-					PutSecretValueWithContextFn: fakesm.NewPutSecretValueWithContextFn(putSecretOutput, nil, fakesm.ExpectedPutSecretValueInput{
+					GetSecretValueFn: fakesm.NewGetSecretValueFn(secretValueOutputFrom(params{s: `{"fake-property":{"fake-property":"fake-value"}}`}), nil),
+					DescribeSecretFn: fakesm.NewDescribeSecretFn(tagSecretOutput, nil),
+					PutSecretValueFn: fakesm.NewPutSecretValueFn(putSecretOutput, nil, fakesm.ExpectedPutSecretValueInput{
 						SecretBinary: []byte(`{"fake-property":{"fake-property":"fake-value","other-fake-property":"fake-value"}}`),
 						Version:      &defaultUpdatedVersion,
 					}),
@@ -753,8 +763,8 @@ func TestSetSecret(t *testing.T) {
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(secretValueOutputFrom(params{s: `non-json-secret`}), nil),
-					DescribeSecretWithContextFn: fakesm.NewDescribeSecretWithContextFn(tagSecretOutput, nil),
+					GetSecretValueFn: fakesm.NewGetSecretValueFn(secretValueOutputFrom(params{s: `non-json-secret`}), nil),
+					DescribeSecretFn: fakesm.NewDescribeSecretFn(tagSecretOutput, nil),
 				},
 				pushSecretData: pushSecretDataWithProperty,
 			},
@@ -767,8 +777,8 @@ func TestSetSecret(t *testing.T) {
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(blankSecretValueOutput, &getSecretCorrectErr),
-					CreateSecretWithContextFn:   fakesm.NewCreateSecretWithContextFn(nil, noPermission),
+					GetSecretValueFn: fakesm.NewGetSecretValueFn(blankSecretValueOutput, &getSecretCorrectErr),
+					CreateSecretFn:   fakesm.NewCreateSecretFn(nil, noPermission),
 				},
 				pushSecretData: pushSecretDataWithoutProperty,
 			},
@@ -781,7 +791,7 @@ func TestSetSecret(t *testing.T) {
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(blankSecretValueOutput, noPermission),
+					GetSecretValueFn: fakesm.NewGetSecretValueFn(blankSecretValueOutput, noPermission),
 				},
 				pushSecretData: pushSecretDataWithoutProperty,
 			},
@@ -794,8 +804,8 @@ func TestSetSecret(t *testing.T) {
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(secretValueOutput2, nil),
-					DescribeSecretWithContextFn: fakesm.NewDescribeSecretWithContextFn(tagSecretOutput, nil),
+					GetSecretValueFn: fakesm.NewGetSecretValueFn(secretValueOutput2, nil),
+					DescribeSecretFn: fakesm.NewDescribeSecretFn(tagSecretOutput, nil),
 				},
 				pushSecretData: pushSecretDataWithoutProperty,
 			},
@@ -808,9 +818,9 @@ func TestSetSecret(t *testing.T) {
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(secretValueOutput, nil),
-					PutSecretValueWithContextFn: fakesm.NewPutSecretValueWithContextFn(nil, noPermission),
-					DescribeSecretWithContextFn: fakesm.NewDescribeSecretWithContextFn(tagSecretOutput, nil),
+					GetSecretValueFn: fakesm.NewGetSecretValueFn(secretValueOutput, nil),
+					PutSecretValueFn: fakesm.NewPutSecretValueFn(nil, noPermission),
+					DescribeSecretFn: fakesm.NewDescribeSecretFn(tagSecretOutput, nil),
 				},
 				pushSecretData: pushSecretDataWithoutProperty,
 			},
@@ -823,7 +833,7 @@ func TestSetSecret(t *testing.T) {
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(blankSecretValueOutput, &getSecretWrongErr),
+					GetSecretValueFn: fakesm.NewGetSecretValueFn(blankSecretValueOutput, &getSecretWrongErr),
 				},
 				pushSecretData: pushSecretDataWithoutProperty,
 			},
@@ -836,8 +846,8 @@ func TestSetSecret(t *testing.T) {
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(secretValueOutput, nil),
-					DescribeSecretWithContextFn: fakesm.NewDescribeSecretWithContextFn(nil, noPermission),
+					GetSecretValueFn: fakesm.NewGetSecretValueFn(secretValueOutput, nil),
+					DescribeSecretFn: fakesm.NewDescribeSecretFn(nil, noPermission),
 				},
 				pushSecretData: pushSecretDataWithoutProperty,
 			},
@@ -850,8 +860,8 @@ func TestSetSecret(t *testing.T) {
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(secretValueOutput, nil),
-					DescribeSecretWithContextFn: fakesm.NewDescribeSecretWithContextFn(tagSecretOutputFaulty, nil),
+					GetSecretValueFn: fakesm.NewGetSecretValueFn(secretValueOutput, nil),
+					DescribeSecretFn: fakesm.NewDescribeSecretFn(tagSecretOutputFaulty, nil),
 				},
 				pushSecretData: pushSecretDataWithoutProperty,
 			},
@@ -869,8 +879,8 @@ func TestSetSecret(t *testing.T) {
 					Prefix:  "prefix-",
 				},
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(blankSecretValueOutput, &getSecretCorrectErr),
-					CreateSecretWithContextFn: func(ctx aws.Context, input *awssm.CreateSecretInput, opts ...request.Option) (*awssm.CreateSecretOutput, error) {
+					GetSecretValueFn: fakesm.NewGetSecretValueFn(blankSecretValueOutput, &getSecretCorrectErr),
+					CreateSecretFn: func(ctx context.Context, input *awssm.CreateSecretInput, opts ...func(*awssm.Options)) (*awssm.CreateSecretOutput, error) {
 						// Verify that the input name has the prefix applied
 						if *input.Name != "prefix-"+fakeKey {
 							return nil, fmt.Errorf("expected secret name to be prefixed with 'prefix-', got %s", *input.Name)
@@ -914,7 +924,7 @@ func TestDeleteSecret(t *testing.T) {
 	fakeClient := fakesm.Client{}
 	managed := managedBy
 	manager := externalSecrets
-	secretTag := awssm.Tag{
+	secretTag := types.Tag{
 		Key:   &managed,
 		Value: &manager,
 	}
@@ -945,7 +955,7 @@ func TestDeleteSecret(t *testing.T) {
 				config:          esv1.SecretsManager{},
 				getSecretOutput: &awssm.GetSecretValueOutput{},
 				describeSecretOutput: &awssm.DescribeSecretOutput{
-					Tags: []*awssm.Tag{&secretTag},
+					Tags: []types.Tag{secretTag},
 				},
 				deleteSecretOutput: &awssm.DeleteSecretOutput{},
 				getSecretErr:       nil,
@@ -966,7 +976,7 @@ func TestDeleteSecret(t *testing.T) {
 				},
 				getSecretOutput: &awssm.GetSecretValueOutput{},
 				describeSecretOutput: &awssm.DescribeSecretOutput{
-					Tags: []*awssm.Tag{&secretTag},
+					Tags: []types.Tag{secretTag},
 				},
 				deleteSecretOutput: &awssm.DeleteSecretOutput{
 					DeletionDate: aws.Time(time.Now()),
@@ -987,7 +997,7 @@ func TestDeleteSecret(t *testing.T) {
 				config:          esv1.SecretsManager{},
 				getSecretOutput: &awssm.GetSecretValueOutput{},
 				describeSecretOutput: &awssm.DescribeSecretOutput{
-					Tags: []*awssm.Tag{},
+					Tags: []types.Tag{},
 				},
 				deleteSecretOutput: &awssm.DeleteSecretOutput{},
 				getSecretErr:       nil,
@@ -1008,7 +1018,7 @@ func TestDeleteSecret(t *testing.T) {
 				},
 				getSecretOutput: &awssm.GetSecretValueOutput{},
 				describeSecretOutput: &awssm.DescribeSecretOutput{
-					Tags: []*awssm.Tag{&secretTag},
+					Tags: []types.Tag{secretTag},
 				},
 				deleteSecretOutput: &awssm.DeleteSecretOutput{},
 				getSecretErr:       nil,
@@ -1030,7 +1040,7 @@ func TestDeleteSecret(t *testing.T) {
 				},
 				getSecretOutput: &awssm.GetSecretValueOutput{},
 				describeSecretOutput: &awssm.DescribeSecretOutput{
-					Tags: []*awssm.Tag{&secretTag},
+					Tags: []types.Tag{secretTag},
 				},
 				deleteSecretOutput: &awssm.DeleteSecretOutput{},
 				getSecretErr:       nil,
@@ -1066,12 +1076,12 @@ func TestDeleteSecret(t *testing.T) {
 				getSecretOutput:      nil,
 				describeSecretOutput: nil,
 				deleteSecretOutput:   nil,
-				getSecretErr:         awserr.New(awssm.ErrCodeResourceNotFoundException, "not here, sorry dude", nil),
+				getSecretErr:         errors.New("not here, sorry dude"),
 				describeSecretErr:    nil,
 				deleteSecretErr:      nil,
 			},
 			want: want{
-				err: nil,
+				err: errors.New("not here, sorry dude"),
 			},
 		},
 		"Not expected AWS error": {
@@ -1081,7 +1091,7 @@ func TestDeleteSecret(t *testing.T) {
 				getSecretOutput:      nil,
 				describeSecretOutput: nil,
 				deleteSecretOutput:   nil,
-				getSecretErr:         awserr.New(awssm.ErrCodeEncryptionFailure, "aws unavailable", nil),
+				getSecretErr:         errors.New("aws unavailable"),
 				describeSecretErr:    nil,
 				deleteSecretErr:      nil,
 			},
@@ -1107,23 +1117,23 @@ func TestDeleteSecret(t *testing.T) {
 		"DeleteWithPrefix": {
 			args: args{
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: func(ctx aws.Context, input *awssm.GetSecretValueInput, opts ...request.Option) (*awssm.GetSecretValueOutput, error) {
+					GetSecretValueFn: func(ctx context.Context, input *awssm.GetSecretValueInput, opts ...func(*awssm.Options)) (*awssm.GetSecretValueOutput, error) {
 						// Verify that the input secret ID has the prefix applied
 						if *input.SecretId != "my-prefix-"+fakeKey {
 							return nil, fmt.Errorf("expected secret name to be prefixed with 'my-prefix-', got %s", *input.SecretId)
 						}
 						return &awssm.GetSecretValueOutput{}, nil
 					},
-					DescribeSecretWithContextFn: func(ctx aws.Context, input *awssm.DescribeSecretInput, opts ...request.Option) (*awssm.DescribeSecretOutput, error) {
+					DescribeSecretFn: func(ctx context.Context, input *awssm.DescribeSecretInput, opts ...func(*awssm.Options)) (*awssm.DescribeSecretOutput, error) {
 						// Verify that the input secret ID has the prefix applied
 						if *input.SecretId != "my-prefix-"+fakeKey {
 							return nil, fmt.Errorf("expected secret name to be prefixed with 'my-prefix-', got %s", *input.SecretId)
 						}
 						return &awssm.DescribeSecretOutput{
-							Tags: []*awssm.Tag{&secretTag},
+							Tags: []types.Tag{secretTag},
 						}, nil
 					},
-					DeleteSecretWithContextFn: func(ctx aws.Context, input *awssm.DeleteSecretInput, opts ...request.Option) (*awssm.DeleteSecretOutput, error) {
+					DeleteSecretFn: func(ctx context.Context, input *awssm.DeleteSecretInput, opts ...func(*awssm.Options)) (*awssm.DeleteSecretOutput, error) {
 						return &awssm.DeleteSecretOutput{}, nil
 					},
 				},
@@ -1151,14 +1161,14 @@ func TestDeleteSecret(t *testing.T) {
 				prefix: tc.args.prefix,
 			}
 
-			if tc.args.client.GetSecretValueWithContextFn == nil {
-				tc.args.client.GetSecretValueWithContextFn = fakesm.NewGetSecretValueWithContextFn(tc.args.getSecretOutput, tc.args.getSecretErr)
+			if tc.args.client.GetSecretValueFn == nil {
+				tc.args.client.GetSecretValueFn = fakesm.NewGetSecretValueFn(tc.args.getSecretOutput, tc.args.getSecretErr)
 			}
-			if tc.args.client.DescribeSecretWithContextFn == nil {
-				tc.args.client.DescribeSecretWithContextFn = fakesm.NewDescribeSecretWithContextFn(tc.args.describeSecretOutput, tc.args.describeSecretErr)
+			if tc.args.client.DescribeSecretFn == nil {
+				tc.args.client.DescribeSecretFn = fakesm.NewDescribeSecretFn(tc.args.describeSecretOutput, tc.args.describeSecretErr)
 			}
-			if tc.args.client.DeleteSecretWithContextFn == nil {
-				tc.args.client.DeleteSecretWithContextFn = fakesm.NewDeleteSecretWithContextFn(tc.args.deleteSecretOutput, tc.args.deleteSecretErr)
+			if tc.args.client.DeleteSecretFn == nil {
+				tc.args.client.DeleteSecretFn = fakesm.NewDeleteSecretFn(tc.args.deleteSecretOutput, tc.args.deleteSecretErr)
 			}
 
 			err := sm.DeleteSecret(context.TODO(), ref)
@@ -1195,13 +1205,13 @@ func makeValidSecretStore() *esv1.SecretStore {
 	}
 }
 
-func getTagSlice() []*awssm.Tag {
+func getTagSlice() []types.Tag {
 	tagKey1 := tagname1
 	tagValue1 := tagvalue1
 	tagKey2 := tagname2
 	tagValue2 := tagvalue2
 
-	return []*awssm.Tag{
+	return []types.Tag{
 		{
 			Key:   &tagKey1,
 			Value: &tagValue1,
@@ -1225,15 +1235,15 @@ func TestSecretsManagerGetAllSecrets(t *testing.T) {
 	}
 	// Test cases
 	testCases := []struct {
-		name                             string
-		ref                              esv1.ExternalSecretFind
-		secretName                       string
-		secretVersion                    string
-		secretValue                      string
-		batchGetSecretValueWithContextFn func(aws.Context, *awssm.BatchGetSecretValueInput, ...request.Option) (*awssm.BatchGetSecretValueOutput, error)
-		listSecretsFn                    func(ctx context.Context, input *awssm.ListSecretsInput, opts ...request.Option) (*awssm.ListSecretsOutput, error)
-		expectedData                     map[string][]byte
-		expectedError                    string
+		name                  string
+		ref                   esv1.ExternalSecretFind
+		secretName            string
+		secretVersion         string
+		secretValue           string
+		batchGetSecretValueFn func(context.Context, *awssm.BatchGetSecretValueInput, ...func(*awssm.Options)) (*awssm.BatchGetSecretValueOutput, error)
+		listSecretsFn         func(context.Context, *awssm.ListSecretsInput, ...func(*awssm.Options)) (*awssm.ListSecretsOutput, error)
+		expectedData          map[string][]byte
+		expectedError         string
 	}{
 		{
 			name: "Matching secrets found",
@@ -1246,15 +1256,15 @@ func TestSecretsManagerGetAllSecrets(t *testing.T) {
 			secretName:    secretName,
 			secretVersion: secretVersion,
 			secretValue:   secretValue,
-			batchGetSecretValueWithContextFn: func(_ aws.Context, input *awssm.BatchGetSecretValueInput, _ ...request.Option) (*awssm.BatchGetSecretValueOutput, error) {
+			batchGetSecretValueFn: func(_ context.Context, input *awssm.BatchGetSecretValueInput, _ ...func(*awssm.Options)) (*awssm.BatchGetSecretValueOutput, error) {
 				assert.Len(t, input.Filters, 1)
-				assert.Equal(t, "name", *input.Filters[0].Key)
-				assert.Equal(t, secretPath, *input.Filters[0].Values[0])
+				assert.Equal(t, "name", string(input.Filters[0].Key))
+				assert.Equal(t, secretPath, input.Filters[0].Values[0])
 				return &awssm.BatchGetSecretValueOutput{
-					SecretValues: []*awssm.SecretValueEntry{
+					SecretValues: []types.SecretValueEntry{
 						{
 							Name:          ptr.To(secretName),
-							VersionStages: []*string{ptr.To(secretVersion)},
+							VersionStages: []string{secretVersion},
 							SecretBinary:  []byte(secretValue),
 						},
 					},
@@ -1276,9 +1286,9 @@ func TestSecretsManagerGetAllSecrets(t *testing.T) {
 			secretName:    secretName,
 			secretVersion: secretVersion,
 			secretValue:   secretValue,
-			batchGetSecretValueWithContextFn: func(aws.Context, *awssm.BatchGetSecretValueInput, ...request.Option) (*awssm.BatchGetSecretValueOutput, error) {
+			batchGetSecretValueFn: func(_ context.Context, input *awssm.BatchGetSecretValueInput, _ ...func(*awssm.Options)) (*awssm.BatchGetSecretValueOutput, error) {
 				return &awssm.BatchGetSecretValueOutput{
-					SecretValues: []*awssm.SecretValueEntry{
+					SecretValues: []types.SecretValueEntry{
 						{
 							Name: ptr.To(secretName),
 						},
@@ -1295,7 +1305,7 @@ func TestSecretsManagerGetAllSecrets(t *testing.T) {
 					RegExp: secretName,
 				},
 			},
-			listSecretsFn: func(ctx context.Context, input *awssm.ListSecretsInput, opts ...request.Option) (*awssm.ListSecretsOutput, error) {
+			listSecretsFn: func(_ context.Context, input *awssm.ListSecretsInput, _ ...func(*awssm.Options)) (*awssm.ListSecretsOutput, error) {
 				return nil, errBoom
 			},
 			expectedData:  nil,
@@ -1308,18 +1318,18 @@ func TestSecretsManagerGetAllSecrets(t *testing.T) {
 					RegExp: secretName,
 				},
 			},
-			listSecretsFn: func(ctx context.Context, input *awssm.ListSecretsInput, opts ...request.Option) (*awssm.ListSecretsOutput, error) {
+			listSecretsFn: func(_ context.Context, input *awssm.ListSecretsInput, _ ...func(*awssm.Options)) (*awssm.ListSecretsOutput, error) {
 				return &awssm.ListSecretsOutput{
-					SecretList: []*awssm.SecretListEntry{
+					SecretList: []types.SecretListEntry{
 						{
 							Name: ptr.To("other-secret"),
 						},
 					},
 				}, nil
 			},
-			batchGetSecretValueWithContextFn: func(aws.Context, *awssm.BatchGetSecretValueInput, ...request.Option) (*awssm.BatchGetSecretValueOutput, error) {
+			batchGetSecretValueFn: func(_ context.Context, input *awssm.BatchGetSecretValueInput, _ ...func(*awssm.Options)) (*awssm.BatchGetSecretValueOutput, error) {
 				return &awssm.BatchGetSecretValueOutput{
-					SecretValues: []*awssm.SecretValueEntry{
+					SecretValues: []types.SecretValueEntry{
 						{
 							Name: ptr.To("other-secret"),
 						},
@@ -1348,17 +1358,17 @@ func TestSecretsManagerGetAllSecrets(t *testing.T) {
 			secretName:    secretName,
 			secretVersion: secretVersion,
 			secretValue:   secretValue,
-			batchGetSecretValueWithContextFn: func(_ aws.Context, input *awssm.BatchGetSecretValueInput, _ ...request.Option) (*awssm.BatchGetSecretValueOutput, error) {
+			batchGetSecretValueFn: func(_ context.Context, input *awssm.BatchGetSecretValueInput, _ ...func(*awssm.Options)) (*awssm.BatchGetSecretValueOutput, error) {
 				assert.Len(t, input.Filters, 2)
-				assert.Equal(t, "tag-key", *input.Filters[0].Key)
-				assert.Equal(t, "foo", *input.Filters[0].Values[0])
-				assert.Equal(t, "tag-value", *input.Filters[1].Key)
-				assert.Equal(t, "bar", *input.Filters[1].Values[0])
+				assert.Equal(t, "tag-key", string(input.Filters[0].Key))
+				assert.Equal(t, "foo", input.Filters[0].Values[0])
+				assert.Equal(t, "tag-value", string(input.Filters[1].Key))
+				assert.Equal(t, "bar", input.Filters[1].Values[0])
 				return &awssm.BatchGetSecretValueOutput{
-					SecretValues: []*awssm.SecretValueEntry{
+					SecretValues: []types.SecretValueEntry{
 						{
 							Name:          ptr.To(secretName),
-							VersionStages: []*string{ptr.To(secretVersion)},
+							VersionStages: []string{secretVersion},
 							SecretBinary:  []byte(secretValue),
 						},
 					},
@@ -1377,12 +1387,12 @@ func TestSecretsManagerGetAllSecrets(t *testing.T) {
 			secretName:    secretName,
 			secretVersion: secretVersion,
 			secretValue:   secretValue,
-			batchGetSecretValueWithContextFn: func(aws.Context, *awssm.BatchGetSecretValueInput, ...request.Option) (*awssm.BatchGetSecretValueOutput, error) {
+			batchGetSecretValueFn: func(_ context.Context, input *awssm.BatchGetSecretValueInput, _ ...func(*awssm.Options)) (*awssm.BatchGetSecretValueOutput, error) {
 				return &awssm.BatchGetSecretValueOutput{
-					SecretValues: []*awssm.SecretValueEntry{
+					SecretValues: []types.SecretValueEntry{
 						{
 							Name:          ptr.To(secretName),
-							VersionStages: []*string{ptr.To(secretVersion)},
+							VersionStages: []string{secretVersion},
 							SecretBinary:  []byte(secretValue),
 						},
 					},
@@ -1396,7 +1406,7 @@ func TestSecretsManagerGetAllSecrets(t *testing.T) {
 			ref: esv1.ExternalSecretFind{
 				Tags: secretTags,
 			},
-			batchGetSecretValueWithContextFn: func(aws.Context, *awssm.BatchGetSecretValueInput, ...request.Option) (*awssm.BatchGetSecretValueOutput, error) {
+			batchGetSecretValueFn: func(_ context.Context, input *awssm.BatchGetSecretValueInput, _ ...func(*awssm.Options)) (*awssm.BatchGetSecretValueOutput, error) {
 				return nil, errBoom
 			},
 			expectedData:  nil,
@@ -1407,7 +1417,7 @@ func TestSecretsManagerGetAllSecrets(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			fc := fakesm.NewClient()
-			fc.BatchGetSecretValueWithContextFn = tc.batchGetSecretValueWithContextFn
+			fc.BatchGetSecretValueFn = tc.batchGetSecretValueFn
 			fc.ListSecretsFn = tc.listSecretsFn
 			sm := SecretsManager{
 				client: fc,
@@ -1426,15 +1436,26 @@ func TestSecretsManagerGetAllSecrets(t *testing.T) {
 
 func TestSecretsManagerValidate(t *testing.T) {
 	type fields struct {
-		sess         *session.Session
+		cfg          *aws.Config
 		referentAuth bool
 	}
-	validSession, _ := session.NewSession(aws.NewConfig().WithCredentials(credentials.NewStaticCredentials("fake", "fake", "fake")))
-	invalidSession, _ := session.NewSession(aws.NewConfig().WithCredentials(credentials.NewCredentials(&FakeCredProvider{
-		retrieveFunc: func() (credentials.Value, error) {
-			return credentials.Value{}, errors.New("invalid credentials")
+
+	validConfig := &aws.Config{
+		Credentials: credentials.NewStaticCredentialsProvider(
+			"fake",
+			"fake",
+			"fake",
+		),
+	}
+
+	invalidConfig := &aws.Config{
+		Credentials: &FakeCredProvider{
+			retrieveFunc: func() (aws.Credentials, error) {
+				return aws.Credentials{}, errors.New("invalid credentials")
+			},
 		},
-	})))
+	}
+
 	tests := []struct {
 		name    string
 		fields  fields
@@ -1451,14 +1472,14 @@ func TestSecretsManagerValidate(t *testing.T) {
 		{
 			name: "Valid credentials should return ready",
 			fields: fields{
-				sess: validSession,
+				cfg: validConfig,
 			},
 			want: esv1.ValidationResultReady,
 		},
 		{
 			name: "Invalid credentials should return error",
 			fields: fields{
-				sess: invalidSession,
+				cfg: invalidConfig,
 			},
 			want:    esv1.ValidationResultError,
 			wantErr: true,
@@ -1467,7 +1488,7 @@ func TestSecretsManagerValidate(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			sm := &SecretsManager{
-				sess:         tt.fields.sess,
+				cfg:          tt.fields.cfg,
 				referentAuth: tt.fields.referentAuth,
 			}
 			got, err := sm.Validate()
@@ -1491,8 +1512,8 @@ func TestSecretExists(t *testing.T) {
 
 	blankSecretValueOutput := &awssm.GetSecretValueOutput{}
 
-	getSecretCorrectErr := awssm.ResourceNotFoundException{}
-	getSecretWrongErr := awssm.InvalidRequestException{}
+	getSecretCorrectErr := types.ResourceNotFoundException{}
+	getSecretWrongErr := types.InvalidRequestException{}
 
 	pushSecretDataWithoutProperty := fake.PushSecretData{SecretKey: "fake-secret-key", RemoteKey: fakeKey, Property: ""}
 
@@ -1515,7 +1536,7 @@ func TestSecretExists(t *testing.T) {
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(secretValueOutput, nil),
+					GetSecretValueFn: fakesm.NewGetSecretValueFn(secretValueOutput, nil),
 				},
 				pushSecretData: pushSecretDataWithoutProperty,
 			},
@@ -1528,7 +1549,7 @@ func TestSecretExists(t *testing.T) {
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(blankSecretValueOutput, &getSecretCorrectErr),
+					GetSecretValueFn: fakesm.NewGetSecretValueFn(blankSecretValueOutput, &getSecretCorrectErr),
 				},
 				pushSecretData: pushSecretDataWithoutProperty,
 			},
@@ -1541,7 +1562,7 @@ func TestSecretExists(t *testing.T) {
 			args: args{
 				store: makeValidSecretStore().Spec.Provider.AWS,
 				client: fakesm.Client{
-					GetSecretValueWithContextFn: fakesm.NewGetSecretValueWithContextFn(blankSecretValueOutput, &getSecretWrongErr),
+					GetSecretValueFn: fakesm.NewGetSecretValueFn(blankSecretValueOutput, &getSecretWrongErr),
 				},
 				pushSecretData: pushSecretDataWithoutProperty,
 			},
@@ -1571,13 +1592,13 @@ func TestSecretExists(t *testing.T) {
 }
 
 // FakeCredProvider implements the AWS credentials.Provider interface
-// It is used to inject an error into the AWS session to cause a
+// It is used to inject an error into the AWS config to cause a
 // validation error.
 type FakeCredProvider struct {
-	retrieveFunc func() (credentials.Value, error)
+	retrieveFunc func() (aws.Credentials, error)
 }
 
-func (f *FakeCredProvider) Retrieve() (credentials.Value, error) {
+func (f *FakeCredProvider) Retrieve(ctx context.Context) (aws.Credentials, error) {
 	return f.retrieveFunc()
 }
 

pkg/provider/aws/util/provider.go

@@ -19,8 +19,8 @@ import (
 	"errors"
 	"fmt"
 
-	awssm "github.com/aws/aws-sdk-go/service/secretsmanager"
-	"github.com/aws/aws-sdk-go/service/ssm"
+	awssm "github.com/aws/aws-sdk-go-v2/service/secretsmanager/types"
+	ssm "github.com/aws/aws-sdk-go-v2/service/ssm/types"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 )
@@ -66,7 +66,7 @@ func IsReferentSpec(prov esv1.AWSAuth) bool {
 	return false
 }
 
-func SecretTagsToJSONString(tags []*awssm.Tag) (string, error) {
+func SecretTagsToJSONString(tags []awssm.Tag) (string, error) {
 	tagMap := make(map[string]string, len(tags))
 	for _, tag := range tags {
 		tagMap[*tag.Key] = *tag.Value
@@ -80,7 +80,7 @@ func SecretTagsToJSONString(tags []*awssm.Tag) (string, error) {
 	return string(byteArr), nil
 }
 
-func ParameterTagsToJSONString(tags []*ssm.Tag) (string, error) {
+func ParameterTagsToJSONString(tags []ssm.Tag) (string, error) {
 	tagMap := make(map[string]string, len(tags))
 	for _, tag := range tags {
 		tagMap[*tag.Key] = *tag.Value

pkg/provider/aws/util/validation.go

@@ -17,7 +17,7 @@ package util
 import (
 	"fmt"
 
-	awssm "github.com/aws/aws-sdk-go/service/secretsmanager"
+	awssm "github.com/aws/aws-sdk-go-v2/service/secretsmanager"
 )
 
 const (

pkg/utils/utils_test.go

@@ -21,7 +21,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/oracle/oci-go-sdk/v65/vault"
 	"github.com/stretchr/testify/assert"
 	v1 "k8s.io/api/core/v1"