apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: volcengine-kms
spec:
  provider:
    volcengine:
      # Region (Required)
      region: "cn-beijing"
      
      # Authentication (Choose one)
      auth:
        # Method 1: IRSA (Recommended)
        # When the auth block is empty or does not contain secretRef, IRSA is enabled by default.
        # The Pod's ServiceAccount must be associated with an IAM Role via Annotation,
        # and the VOLCENGINE_ROLE_TRN and VOLCENGINE_OIDC_TOKEN_FILE environment variables must be injected into the ESO Pod.
        
        # Method 2: Static Credentials
        secretRef:
          accessKeyID:
            name: volcengine-creds
            key: accessKeyID
          secretAccessKey:
            name: volcengine-creds
            key: secretAccessKey
          # (Optional, provide the Secret reference for the STS token if you are using one)
          token:
            name: volcengine-creds
            key: sts-token