|
|
@@ -2968,6 +2968,17 @@
|
|
|
<nav class="md-nav" aria-label="Additional Metadata for PushSecret">
|
|
|
<ul class="md-nav__list">
|
|
|
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#kms-key" class="md-nav__link">
|
|
|
+ <span class="md-ellipsis">
|
|
|
+
|
|
|
+ KMS Key
|
|
|
+
|
|
|
+ </span>
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
<li class="md-nav__item">
|
|
|
<a href="#resource-policy-example" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
@@ -2977,6 +2988,34 @@
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
+</li>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#location-replication" class="md-nav__link">
|
|
|
+ <span class="md-ellipsis">
|
|
|
+
|
|
|
+ Location Replication
|
|
|
+
|
|
|
+ </span>
|
|
|
+ </a>
|
|
|
+
|
|
|
+ <nav class="md-nav" aria-label="Location Replication">
|
|
|
+ <ul class="md-nav__list">
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#location-replication-example" class="md-nav__link">
|
|
|
+ <span class="md-ellipsis">
|
|
|
+
|
|
|
+ Location Replication Example
|
|
|
+
|
|
|
+ </span>
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ </ul>
|
|
|
+ </nav>
|
|
|
+
|
|
|
</li>
|
|
|
|
|
|
</ul>
|
|
|
@@ -5048,6 +5087,17 @@
|
|
|
<nav class="md-nav" aria-label="Additional Metadata for PushSecret">
|
|
|
<ul class="md-nav__list">
|
|
|
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#kms-key" class="md-nav__link">
|
|
|
+ <span class="md-ellipsis">
|
|
|
+
|
|
|
+ KMS Key
|
|
|
+
|
|
|
+ </span>
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
<li class="md-nav__item">
|
|
|
<a href="#resource-policy-example" class="md-nav__link">
|
|
|
<span class="md-ellipsis">
|
|
|
@@ -5057,6 +5107,34 @@
|
|
|
</span>
|
|
|
</a>
|
|
|
|
|
|
+</li>
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#location-replication" class="md-nav__link">
|
|
|
+ <span class="md-ellipsis">
|
|
|
+
|
|
|
+ Location Replication
|
|
|
+
|
|
|
+ </span>
|
|
|
+ </a>
|
|
|
+
|
|
|
+ <nav class="md-nav" aria-label="Location Replication">
|
|
|
+ <ul class="md-nav__list">
|
|
|
+
|
|
|
+ <li class="md-nav__item">
|
|
|
+ <a href="#location-replication-example" class="md-nav__link">
|
|
|
+ <span class="md-ellipsis">
|
|
|
+
|
|
|
+ Location Replication Example
|
|
|
+
|
|
|
+ </span>
|
|
|
+ </a>
|
|
|
+
|
|
|
+</li>
|
|
|
+
|
|
|
+ </ul>
|
|
|
+ </nav>
|
|
|
+
|
|
|
</li>
|
|
|
|
|
|
</ul>
|
|
|
@@ -5191,14 +5269,17 @@ a <code>path</code> prefix or use <code>Tags</code> filter.</p>
|
|
|
<span class="w"> </span><span class="s2">"secretsmanager:DeleteSecret"</span><span class="p">,</span>
|
|
|
<span class="w"> </span><span class="s2">"secretsmanager:GetResourcePolicy"</span><span class="p">,</span>
|
|
|
<span class="w"> </span><span class="s2">"secretsmanager:PutResourcePolicy"</span><span class="p">,</span>
|
|
|
-<span class="w"> </span><span class="s2">"secretsmanager:DeleteResourcePolicy"</span>
|
|
|
+<span class="w"> </span><span class="s2">"secretsmanager:DeleteResourcePolicy"</span><span class="p">,</span>
|
|
|
+<span class="w"> </span><span class="s2">"secretsmanager:ReplicateSecretToRegions"</span><span class="p">,</span>
|
|
|
+<span class="w"> </span><span class="s2">"secretsmanager:RemoveRegionsFromReplication"</span>
|
|
|
<span class="w"> </span><span class="p">],</span>
|
|
|
<span class="w"> </span><span class="nt">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
|
|
|
<span class="w"> </span><span class="s2">"arn:aws:secretsmanager:us-west-2:111122223333:secret:dev-*"</span>
|
|
|
<span class="w"> </span><span class="p">]</span>
|
|
|
<span class="p">}</span>
|
|
|
</code></pre></div>
|
|
|
-<p><strong>Note:</strong> The resource policy permissions (<code>GetResourcePolicy</code>, <code>PutResourcePolicy</code>, <code>DeleteResourcePolicy</code>) are only required if you're using the <code>resourcePolicy</code> metadata option to manage resource-based policies on secrets.</p>
|
|
|
+<p><strong>Note:</strong> The resource policy permissions (<code>GetResourcePolicy</code>, <code>PutResourcePolicy</code>, <code>DeleteResourcePolicy</code>) are only required if you're using the <code>resourcePolicy</code> metadata option to manage resource-based policies on secrets.
|
|
|
+<strong>Note:</strong> The replication permissions (<code>ReplicateSecretToRegions</code>, <code>RemoveRegionsFromReplication</code>) are only required if you're using the <code>replicationLocations</code> metadata option to manage secret replication across multiple regions.</p>
|
|
|
<p>Here's a more restrictive version of the IAM policy:</p>
|
|
|
<div class="highlight"><pre><span></span><code><span class="p">{</span>
|
|
|
<span class="w"> </span><span class="nt">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span>
|
|
|
@@ -5211,7 +5292,9 @@ a <code>path</code> prefix or use <code>Tags</code> filter.</p>
|
|
|
<span class="w"> </span><span class="s2">"secretsmanager:TagResource"</span><span class="p">,</span>
|
|
|
<span class="w"> </span><span class="s2">"secretsmanager:GetResourcePolicy"</span><span class="p">,</span>
|
|
|
<span class="w"> </span><span class="s2">"secretsmanager:PutResourcePolicy"</span><span class="p">,</span>
|
|
|
-<span class="w"> </span><span class="s2">"secretsmanager:DeleteResourcePolicy"</span>
|
|
|
+<span class="w"> </span><span class="s2">"secretsmanager:DeleteResourcePolicy"</span><span class="p">,</span>
|
|
|
+<span class="w"> </span><span class="s2">"secretsmanager:ReplicateSecretToRegions"</span><span class="p">,</span>
|
|
|
+<span class="w"> </span><span class="s2">"secretsmanager:RemoveRegionsFromReplication"</span>
|
|
|
<span class="w"> </span><span class="p">],</span>
|
|
|
<span class="w"> </span><span class="nt">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
|
|
|
<span class="w"> </span><span class="s2">"arn:aws:secretsmanager:us-west-2:111122223333:secret:dev-*"</span>
|
|
|
@@ -5262,6 +5345,7 @@ a <code>path</code> prefix or use <code>Tags</code> filter.</p>
|
|
|
<li>description</li>
|
|
|
<li>tags</li>
|
|
|
<li>resourcePolicy</li>
|
|
|
+<li>replicationLocations</li>
|
|
|
</ul>
|
|
|
<p>To control this behavior set the following provider metadata:</p>
|
|
|
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
|
|
|
@@ -5299,8 +5383,9 @@ a <code>path</code> prefix or use <code>Tags</code> filter.</p>
|
|
|
<li><code>kmsKeyID</code> takes a KMS Key <code>$ID</code> or <code>$ARN</code> (in case a key source is created in another account) as a string, where <code>alias/aws/secretsmanager</code> is the <em>default</em>.</li>
|
|
|
<li><code>description</code> Description of the secret.</li>
|
|
|
<li><code>tags</code> Key-value map of user-defined tags that are attached to the secret.</li>
|
|
|
+<li><code>replicationLocations</code> takes a list of valid AWS region names where the secret should be replicated.</li>
|
|
|
</ul>
|
|
|
-<p><strong>Note:</strong> ESO treats the PushSecret as the <strong>source of truth</strong> for tags. Tags specified in <code>metadata.tags</code> will be added or updated, and tags NOT specified will be removed from AWS. This synchronization happens on every reconciliation, even when the secret value hasn't changed.</p>
|
|
|
+<p><strong>Note:</strong> ESO treats the PushSecret as the <strong>source of truth</strong> for tags, resource policy, and replication locations. When any of these resources are specified in <code>metadata</code>, they will be added or updated, and resources NOT specified but existing will be removed from AWS. This synchronization happens on every reconciliation, even when the secret value hasn't changed.</p>
|
|
|
<ul>
|
|
|
<li><code>resourcePolicy</code> Attach a resource-based policy to the secret for cross-account access or advanced access control.</li>
|
|
|
<li><code>blockPublicPolicy</code> (optional) - Set to <code>true</code> to validate that the policy doesn't grant public access before applying. Defaults to AWS behavior.</li>
|
|
|
@@ -5311,6 +5396,13 @@ a <code>path</code> prefix or use <code>Tags</code> filter.</p>
|
|
|
</ul>
|
|
|
</li>
|
|
|
</ul>
|
|
|
+<h5 id="kms-key">KMS Key</h5>
|
|
|
+<p>The <code>kmsKeyID</code> field controls the KMS key used for encrypting/ decrypting the secret.</p>
|
|
|
+<ul>
|
|
|
+<li>If <code>kmsKeyID</code> is provided, ESO always uses that value for the primary secret.</li>
|
|
|
+<li>If <code>kmsKeyID</code> is not provided, ESO falls back to AWS’s default Secrets Manager key: <code>alias/aws/secretsmanager</code>.</li>
|
|
|
+<li>ESO does not currently support specifying different <code>kmsKeyID</code> values per replica region. A single <code>kmsKeyID</code> value is applied uniformly across the primary secret and all configured replication regions.</li>
|
|
|
+</ul>
|
|
|
<h5 id="resource-policy-example">Resource Policy Example</h5>
|
|
|
<p>To attach a resource policy to a secret for cross-account access:</p>
|
|
|
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
|
|
|
@@ -5368,6 +5460,47 @@ a <code>path</code> prefix or use <code>Tags</code> filter.</p>
|
|
|
<span class="w"> </span><span class="no">}</span>
|
|
|
</code></pre></div>
|
|
|
<p><strong>Note:</strong> The resource policy is synchronized on every reconciliation, even when the secret value hasn't changed. If the <code>resourcePolicy</code> field is removed from metadata, the existing policy will be deleted from the secret.</p>
|
|
|
+<h5 id="location-replication">Location Replication</h5>
|
|
|
+<p>When this field is set, <em>ESO</em> manages replication as part of the PushSecret reconciliation loop and treats the list as the desired state:</p>
|
|
|
+<ul>
|
|
|
+<li>Regions present in <code>replicationLocations</code> but not yet configured in AWS will be added.</li>
|
|
|
+<li>Regions already configured in AWS but not listed in <code>replicationLocations</code> will be removed.</li>
|
|
|
+<li>If <code>replicationLocations</code> is omitted entirely, ESO does not manage replication for that secret.</li>
|
|
|
+<li>Invalid/unsupported region values or missing permissions will cause the AWS replication call to fail.</li>
|
|
|
+</ul>
|
|
|
+<p><strong>Note</strong>: Replicas do not support per-region KMS key selection. If you configure replication, all replica regions will use the same <code>kmsKeyID</code> value defined in the main metadata block, or <code>alias/aws/secretsmanager</code> when no key is specified.</p>
|
|
|
+<p><strong>Note</strong>: The KMS key <strong>must be available</strong> in the replication region, usually via KMS key replication.</p>
|
|
|
+<h6 id="location-replication-example">Location Replication Example</h6>
|
|
|
+<p>You can specify a list of locations for your secrets to be replicated by setting the <code>replicationLocations</code> field.</p>
|
|
|
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
|
|
|
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecret</span>
|
|
|
+<span class="nt">metadata</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pushsecret-example</span>
|
|
|
+<span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span>
|
|
|
+<span class="nt">spec</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">10s</span>
|
|
|
+<span class="w"> </span><span class="nt">secretStoreRefs</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">aws-secretsmanager</span>
|
|
|
+<span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
|
|
|
+<span class="w"> </span><span class="nt">selector</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">secret</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pokedex-credentials</span>
|
|
|
+<span class="w"> </span><span class="nt">data</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">match</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-secret-key</span>
|
|
|
+<span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">remoteKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-remote-secret</span>
|
|
|
+<span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">password</span>
|
|
|
+<span class="w"> </span><span class="nt">metadata</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">kmsKeyID</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bb123123-b2b0-4f60-ac3a-44a13f0e6b6c</span>
|
|
|
+<span class="w"> </span><span class="nt">replicationLocations</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eu-north-1</span>
|
|
|
+<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eu-west-2</span>
|
|
|
+<span class="w"> </span><span class="nt">secretPushFormat</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">string</span>
|
|
|
+<span class="w"> </span><span class="nt">description</span><span class="p">:</span><span class="w"> </span><span class="s">"Cross-account</span><span class="nv"> </span><span class="s">accessible</span><span class="nv"> </span><span class="s">secret"</span>
|
|
|
+<span class="w"> </span><span class="nt">tags</span><span class="p">:</span>
|
|
|
+<span class="w"> </span><span class="nt">team</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">platform-engineering</span>
|
|
|
+</code></pre></div>
|
|
|
<h3 id="json-secret-values">JSON Secret Values</h3>
|
|
|
<p>SecretsManager supports <em>simple</em> key/value pairs that are stored as json. If you use the API you can store more complex JSON objects. You can access nested values or arrays using <a href="https://github.com/tidwall/gjson/blob/master/SYNTAX.md">gjson syntax</a>:</p>
|
|
|
<p>Consider the following JSON object that is stored in the SecretsManager key <code>friendslist</code>:
|
Skarlso