{% raw %}
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: database-credentials
  namespace: external-secrets
spec:
  dataFrom:
  - extract:
      key: username_password/<SECRET_ID>
      metadataPolicy: Fetch           # leveraging optional parameter, defaults to None
    secretKey: username
  secretStoreRef:
    kind: SecretStore
    name: ibm-store
  target:
    name: database-credentials
    template:
      engineVersion: v2
      data:
        secret: "{{ .password }}"
      metadata:
        annotations:
          secret_id: "{{ .id }}"     # adding metadata key whose value would be added to the secret as a label
          updated_at: "{{ .updated_at }}"

{% endraw %}