index.html 101 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270327132723273327432753276327732783279328032813282328332843285328632873288328932903291329232933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330333133323333333433353336333733383339334033413342334333443345334633473348334933503351335233533354335533563357335833593360336133623363336433653366336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396339733983399340034013402340334043405340634073408340934103411341234133414341534163417341834193420342134223423342434253426342734283429343034313432343334343435343634373438343934403441344234433444344534463447344834493450345134523453345434553456345734583459346034613462346334643465346634673468346934703471347234733474347534763477347834793480348134823483348434853486348734883489349034913492349334943495349634973498349935003501350235033504350535063507350835093510351135123513351435153516351735183519352035213522352335243525352635273528352935303531353235333534353535363537353835393540354135423543354435453546354735483549355035513552355335543555355635573558355935603561356235633564356535663567356835693570357135723573357435753576357735783579358035813582358335843585358635873588358935903591359235933594359535963597359835993600360136023603360436053606360736083609361036113612361336143615361636173618361936203621362236233624362536263627362836293630363136323633363436353636363736383639364036413642364336443645364636473648364936503651365236533654365536563657365836593660366136623663366436653666366736683669367036713672367336743675367636773678367936803681368236833684368536863687368836893690369136923693369436953696369736983699370037013702370337043705370637073708370937103711371237133714371537163717371837193720372137223723372437253726372737283729373037313732373337343735373637373738373937403741374237433744374537463747374837493750375137523753375437553756375737583759376037613762376337643765376637673768376937703771377237733774377537763777377837793780378137823783378437853786378737883789379037913792379337943795379637973798379938003801380238033804380538063807380838093810381138123813381438153816381738183819382038213822382338243825382638273828382938303831383238333834383538363837383838393840384138423843384438453846384738483849385038513852385338543855385638573858385938603861386238633864386538663867386838693870387138723873387438753876387738783879388038813882388338843885388638873888388938903891389238933894389538963897389838993900390139023903390439053906390739083909391039113912391339143915391639173918391939203921392239233924392539263927392839293930
  1. <!doctype html>
  2. <html lang="en" class="no-js">
  3. <head>
  4. <meta charset="utf-8">
  5. <meta name="viewport" content="width=device-width,initial-scale=1">
  6. <link rel="prev" href="../../guides/disable-cluster-features/">
  7. <link rel="next" href="../aws-parameter-store/">
  8. <link rel="icon" href="../../pictures/eso-round-logo.svg">
  9. <meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.5.42">
  10. <title>AWS Secrets Manager - External Secrets Operator</title>
  11. <link rel="stylesheet" href="../../assets/stylesheets/main.0253249f.min.css">
  12. <link rel="stylesheet" href="../../assets/stylesheets/palette.06af60db.min.css">
  13. <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
  14. <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
  15. <style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
  16. <script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
  17. <script id="__analytics">function __md_analytics(){function e(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],e("js",new Date),e("config","G-QP38TD8K7V"),document.addEventListener("DOMContentLoaded",(function(){document.forms.search&&document.forms.search.query.addEventListener("blur",(function(){this.value&&e("event","search",{search_term:this.value})}));document$.subscribe((function(){var t=document.forms.feedback;if(void 0!==t)for(var a of t.querySelectorAll("[type=submit]"))a.addEventListener("click",(function(a){a.preventDefault();var n=document.location.pathname,d=this.getAttribute("data-md-value");e("event","feedback",{page:n,data:d}),t.firstElementChild.disabled=!0;var r=t.querySelector(".md-feedback__note [data-md-value='"+d+"']");r&&(r.hidden=!1)})),t.hidden=!1})),location$.subscribe((function(t){e("config","G-QP38TD8K7V",{page_path:t.pathname})}))}));var t=document.createElement("script");t.async=!0,t.src="https://www.googletagmanager.com/gtag/js?id=G-QP38TD8K7V",document.getElementById("__analytics").insertAdjacentElement("afterEnd",t)}</script>
  18. <script>"undefined"!=typeof __md_analytics&&__md_analytics()</script>
  19. </head>
  20. <body dir="ltr" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo">
  21. <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
  22. <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
  23. <label class="md-overlay" for="__drawer"></label>
  24. <div data-md-component="skip">
  25. <a href="#secrets-manager" class="md-skip">
  26. Skip to content
  27. </a>
  28. </div>
  29. <div data-md-component="announce">
  30. </div>
  31. <div data-md-color-scheme="default" data-md-component="outdated" hidden>
  32. <aside class="md-banner md-banner--warning">
  33. <div class="md-banner__inner md-grid md-typeset">
  34. You're not viewing the latest version.
  35. <a href="../../..">
  36. <strong>Click here to go to latest.</strong>
  37. </a>
  38. </div>
  39. <script>var el=document.querySelector("[data-md-component=outdated]"),outdated=__md_get("__outdated",sessionStorage);!0===outdated&&el&&(el.hidden=!1)</script>
  40. </aside>
  41. </div>
  42. <header class="md-header" data-md-component="header">
  43. <nav class="md-header__inner md-grid" aria-label="Header">
  44. <a href="../.." title="External Secrets Operator" class="md-header__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
  45. <img src="../../pictures/eso-round-logo.svg" alt="logo">
  46. </a>
  47. <label class="md-header__button md-icon" for="__drawer">
  48. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg>
  49. </label>
  50. <div class="md-header__title" data-md-component="header-title">
  51. <div class="md-header__ellipsis">
  52. <div class="md-header__topic">
  53. <span class="md-ellipsis">
  54. External Secrets Operator
  55. </span>
  56. </div>
  57. <div class="md-header__topic" data-md-component="header-topic">
  58. <span class="md-ellipsis">
  59. AWS Secrets Manager
  60. </span>
  61. </div>
  62. </div>
  63. </div>
  64. <form class="md-header__option" data-md-component="palette">
  65. <input class="md-option" data-md-color-media="(prefers-color-scheme: light)" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to dark mode" type="radio" name="__palette" id="__palette_0">
  66. <label class="md-header__button md-icon" title="Switch to dark mode" for="__palette_1" hidden>
  67. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0 0 1 6-6 6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
  68. </label>
  69. <input class="md-option" data-md-color-media="(prefers-color-scheme: dark)" data-md-color-scheme="slate" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to light mode" type="radio" name="__palette" id="__palette_1">
  70. <label class="md-header__button md-icon" title="Switch to light mode" for="__palette_0" hidden>
  71. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 18c-.89 0-1.74-.2-2.5-.55C11.56 16.5 13 14.42 13 12s-1.44-4.5-3.5-5.45C10.26 6.2 11.11 6 12 6a6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
  72. </label>
  73. </form>
  74. <script>var palette=__md_get("__palette");if(palette&&palette.color){if("(prefers-color-scheme)"===palette.color.media){var media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']");palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent")}for(var[key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
  75. <label class="md-header__button md-icon" for="__search">
  76. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
  77. </label>
  78. <div class="md-search" data-md-component="search" role="dialog">
  79. <label class="md-search__overlay" for="__search"></label>
  80. <div class="md-search__inner" role="search">
  81. <form class="md-search__form" name="search">
  82. <input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
  83. <label class="md-search__icon md-icon" for="__search">
  84. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
  85. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg>
  86. </label>
  87. <nav class="md-search__options" aria-label="Search">
  88. <button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
  89. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"/></svg>
  90. </button>
  91. </nav>
  92. </form>
  93. <div class="md-search__output">
  94. <div class="md-search__scrollwrap" tabindex="0" data-md-scrollfix>
  95. <div class="md-search-result" data-md-component="search-result">
  96. <div class="md-search-result__meta">
  97. Initializing search
  98. </div>
  99. <ol class="md-search-result__list" role="presentation"></ol>
  100. </div>
  101. </div>
  102. </div>
  103. </div>
  104. </div>
  105. <div class="md-header__source">
  106. <a href="https://github.com/external-secrets/external-secrets" title="Go to repository" class="md-source" data-md-component="source">
  107. <div class="md-source__icon md-icon">
  108. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.6.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81"/></svg>
  109. </div>
  110. <div class="md-source__repository">
  111. External Secrets Operator
  112. </div>
  113. </a>
  114. </div>
  115. </nav>
  116. </header>
  117. <div class="md-container" data-md-component="container">
  118. <nav class="md-tabs" aria-label="Tabs" data-md-component="tabs">
  119. <div class="md-grid">
  120. <ul class="md-tabs__list">
  121. <li class="md-tabs__item">
  122. <a href="../.." class="md-tabs__link">
  123. Introduction
  124. </a>
  125. </li>
  126. <li class="md-tabs__item">
  127. <a href="../../api/components/" class="md-tabs__link">
  128. API
  129. </a>
  130. </li>
  131. <li class="md-tabs__item">
  132. <a href="../../guides/introduction/" class="md-tabs__link">
  133. Guides
  134. </a>
  135. </li>
  136. <li class="md-tabs__item md-tabs__item--active">
  137. <a href="./" class="md-tabs__link">
  138. Provider
  139. </a>
  140. </li>
  141. <li class="md-tabs__item">
  142. <a href="../../examples/gitops-using-fluxcd/" class="md-tabs__link">
  143. Examples
  144. </a>
  145. </li>
  146. <li class="md-tabs__item">
  147. <a href="../../contributing/devguide/" class="md-tabs__link">
  148. Community
  149. </a>
  150. </li>
  151. </ul>
  152. </div>
  153. </nav>
  154. <main class="md-main" data-md-component="main">
  155. <div class="md-main__inner md-grid">
  156. <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
  157. <div class="md-sidebar__scrollwrap">
  158. <div class="md-sidebar__inner">
  159. <nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0">
  160. <label class="md-nav__title" for="__drawer">
  161. <a href="../.." title="External Secrets Operator" class="md-nav__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
  162. <img src="../../pictures/eso-round-logo.svg" alt="logo">
  163. </a>
  164. External Secrets Operator
  165. </label>
  166. <div class="md-nav__source">
  167. <a href="https://github.com/external-secrets/external-secrets" title="Go to repository" class="md-source" data-md-component="source">
  168. <div class="md-source__icon md-icon">
  169. <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.6.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81"/></svg>
  170. </div>
  171. <div class="md-source__repository">
  172. External Secrets Operator
  173. </div>
  174. </a>
  175. </div>
  176. <ul class="md-nav__list" data-md-scrollfix>
  177. <li class="md-nav__item md-nav__item--nested">
  178. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_1" >
  179. <div class="md-nav__link md-nav__container">
  180. <a href="../.." class="md-nav__link ">
  181. <span class="md-ellipsis">
  182. Introduction
  183. </span>
  184. </a>
  185. <label class="md-nav__link " for="__nav_1" id="__nav_1_label" tabindex="0">
  186. <span class="md-nav__icon md-icon"></span>
  187. </label>
  188. </div>
  189. <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_1_label" aria-expanded="false">
  190. <label class="md-nav__title" for="__nav_1">
  191. <span class="md-nav__icon md-icon"></span>
  192. Introduction
  193. </label>
  194. <ul class="md-nav__list" data-md-scrollfix>
  195. <li class="md-nav__item">
  196. <a href="../../introduction/overview/" class="md-nav__link">
  197. <span class="md-ellipsis">
  198. Overview
  199. </span>
  200. </a>
  201. </li>
  202. <li class="md-nav__item">
  203. <a href="../../introduction/getting-started/" class="md-nav__link">
  204. <span class="md-ellipsis">
  205. Getting started
  206. </span>
  207. </a>
  208. </li>
  209. <li class="md-nav__item">
  210. <a href="../../introduction/faq/" class="md-nav__link">
  211. <span class="md-ellipsis">
  212. FAQ
  213. </span>
  214. </a>
  215. </li>
  216. <li class="md-nav__item">
  217. <a href="../../introduction/stability-support/" class="md-nav__link">
  218. <span class="md-ellipsis">
  219. Stability and Support
  220. </span>
  221. </a>
  222. </li>
  223. <li class="md-nav__item">
  224. <a href="../../introduction/deprecation-policy/" class="md-nav__link">
  225. <span class="md-ellipsis">
  226. Deprecation Policy
  227. </span>
  228. </a>
  229. </li>
  230. </ul>
  231. </nav>
  232. </li>
  233. <li class="md-nav__item md-nav__item--nested">
  234. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2" >
  235. <label class="md-nav__link" for="__nav_2" id="__nav_2_label" tabindex="0">
  236. <span class="md-ellipsis">
  237. API
  238. </span>
  239. <span class="md-nav__icon md-icon"></span>
  240. </label>
  241. <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="false">
  242. <label class="md-nav__title" for="__nav_2">
  243. <span class="md-nav__icon md-icon"></span>
  244. API
  245. </label>
  246. <ul class="md-nav__list" data-md-scrollfix>
  247. <li class="md-nav__item">
  248. <a href="../../api/components/" class="md-nav__link">
  249. <span class="md-ellipsis">
  250. Components
  251. </span>
  252. </a>
  253. </li>
  254. <li class="md-nav__item md-nav__item--nested">
  255. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_2" >
  256. <label class="md-nav__link" for="__nav_2_2" id="__nav_2_2_label" tabindex="0">
  257. <span class="md-ellipsis">
  258. Core Resources
  259. </span>
  260. <span class="md-nav__icon md-icon"></span>
  261. </label>
  262. <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_2_label" aria-expanded="false">
  263. <label class="md-nav__title" for="__nav_2_2">
  264. <span class="md-nav__icon md-icon"></span>
  265. Core Resources
  266. </label>
  267. <ul class="md-nav__list" data-md-scrollfix>
  268. <li class="md-nav__item">
  269. <a href="../../api/externalsecret/" class="md-nav__link">
  270. <span class="md-ellipsis">
  271. ExternalSecret
  272. </span>
  273. </a>
  274. </li>
  275. <li class="md-nav__item">
  276. <a href="../../api/secretstore/" class="md-nav__link">
  277. <span class="md-ellipsis">
  278. SecretStore
  279. </span>
  280. </a>
  281. </li>
  282. <li class="md-nav__item">
  283. <a href="../../api/clustersecretstore/" class="md-nav__link">
  284. <span class="md-ellipsis">
  285. ClusterSecretStore
  286. </span>
  287. </a>
  288. </li>
  289. <li class="md-nav__item">
  290. <a href="../../api/clusterexternalsecret/" class="md-nav__link">
  291. <span class="md-ellipsis">
  292. ClusterExternalSecret
  293. </span>
  294. </a>
  295. </li>
  296. <li class="md-nav__item">
  297. <a href="../../api/pushsecret/" class="md-nav__link">
  298. <span class="md-ellipsis">
  299. PushSecret
  300. </span>
  301. </a>
  302. </li>
  303. </ul>
  304. </nav>
  305. </li>
  306. <li class="md-nav__item md-nav__item--nested">
  307. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_3" >
  308. <div class="md-nav__link md-nav__container">
  309. <a href="../../api/generator/" class="md-nav__link ">
  310. <span class="md-ellipsis">
  311. Generators
  312. </span>
  313. </a>
  314. <label class="md-nav__link " for="__nav_2_3" id="__nav_2_3_label" tabindex="0">
  315. <span class="md-nav__icon md-icon"></span>
  316. </label>
  317. </div>
  318. <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_3_label" aria-expanded="false">
  319. <label class="md-nav__title" for="__nav_2_3">
  320. <span class="md-nav__icon md-icon"></span>
  321. Generators
  322. </label>
  323. <ul class="md-nav__list" data-md-scrollfix>
  324. <li class="md-nav__item">
  325. <a href="../../api/generator/acr/" class="md-nav__link">
  326. <span class="md-ellipsis">
  327. Azure Container Registry
  328. </span>
  329. </a>
  330. </li>
  331. <li class="md-nav__item">
  332. <a href="../../api/generator/ecr/" class="md-nav__link">
  333. <span class="md-ellipsis">
  334. AWS Elastic Container Registry
  335. </span>
  336. </a>
  337. </li>
  338. <li class="md-nav__item">
  339. <a href="../../api/generator/gcr/" class="md-nav__link">
  340. <span class="md-ellipsis">
  341. Google Container Registry
  342. </span>
  343. </a>
  344. </li>
  345. <li class="md-nav__item">
  346. <a href="../../api/generator/vault/" class="md-nav__link">
  347. <span class="md-ellipsis">
  348. Vault Dynamic Secret
  349. </span>
  350. </a>
  351. </li>
  352. <li class="md-nav__item">
  353. <a href="../../api/generator/password/" class="md-nav__link">
  354. <span class="md-ellipsis">
  355. Password
  356. </span>
  357. </a>
  358. </li>
  359. <li class="md-nav__item">
  360. <a href="../../api/generator/fake/" class="md-nav__link">
  361. <span class="md-ellipsis">
  362. Fake
  363. </span>
  364. </a>
  365. </li>
  366. <li class="md-nav__item">
  367. <a href="../../api/generator/webhook/" class="md-nav__link">
  368. <span class="md-ellipsis">
  369. Webhook
  370. </span>
  371. </a>
  372. </li>
  373. <li class="md-nav__item">
  374. <a href="../../api/generator/github/" class="md-nav__link">
  375. <span class="md-ellipsis">
  376. Github
  377. </span>
  378. </a>
  379. </li>
  380. <li class="md-nav__item">
  381. <a href="../../api/generator/uuid/" class="md-nav__link">
  382. <span class="md-ellipsis">
  383. UUID
  384. </span>
  385. </a>
  386. </li>
  387. </ul>
  388. </nav>
  389. </li>
  390. <li class="md-nav__item md-nav__item--nested">
  391. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_4" >
  392. <label class="md-nav__link" for="__nav_2_4" id="__nav_2_4_label" tabindex="0">
  393. <span class="md-ellipsis">
  394. Reference Docs
  395. </span>
  396. <span class="md-nav__icon md-icon"></span>
  397. </label>
  398. <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_4_label" aria-expanded="false">
  399. <label class="md-nav__title" for="__nav_2_4">
  400. <span class="md-nav__icon md-icon"></span>
  401. Reference Docs
  402. </label>
  403. <ul class="md-nav__list" data-md-scrollfix>
  404. <li class="md-nav__item">
  405. <a href="../../api/spec/" class="md-nav__link">
  406. <span class="md-ellipsis">
  407. API specification
  408. </span>
  409. </a>
  410. </li>
  411. <li class="md-nav__item">
  412. <a href="../../api/controller-options/" class="md-nav__link">
  413. <span class="md-ellipsis">
  414. Controller Options
  415. </span>
  416. </a>
  417. </li>
  418. <li class="md-nav__item">
  419. <a href="../../api/metrics/" class="md-nav__link">
  420. <span class="md-ellipsis">
  421. Metrics
  422. </span>
  423. </a>
  424. </li>
  425. </ul>
  426. </nav>
  427. </li>
  428. </ul>
  429. </nav>
  430. </li>
  431. <li class="md-nav__item md-nav__item--nested">
  432. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3" >
  433. <label class="md-nav__link" for="__nav_3" id="__nav_3_label" tabindex="0">
  434. <span class="md-ellipsis">
  435. Guides
  436. </span>
  437. <span class="md-nav__icon md-icon"></span>
  438. </label>
  439. <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false">
  440. <label class="md-nav__title" for="__nav_3">
  441. <span class="md-nav__icon md-icon"></span>
  442. Guides
  443. </label>
  444. <ul class="md-nav__list" data-md-scrollfix>
  445. <li class="md-nav__item">
  446. <a href="../../guides/introduction/" class="md-nav__link">
  447. <span class="md-ellipsis">
  448. Introduction
  449. </span>
  450. </a>
  451. </li>
  452. <li class="md-nav__item md-nav__item--nested">
  453. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_2" >
  454. <label class="md-nav__link" for="__nav_3_2" id="__nav_3_2_label" tabindex="0">
  455. <span class="md-ellipsis">
  456. External Secrets
  457. </span>
  458. <span class="md-nav__icon md-icon"></span>
  459. </label>
  460. <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_2_label" aria-expanded="false">
  461. <label class="md-nav__title" for="__nav_3_2">
  462. <span class="md-nav__icon md-icon"></span>
  463. External Secrets
  464. </label>
  465. <ul class="md-nav__list" data-md-scrollfix>
  466. <li class="md-nav__item">
  467. <a href="../../guides/all-keys-one-secret/" class="md-nav__link">
  468. <span class="md-ellipsis">
  469. Extract structured data
  470. </span>
  471. </a>
  472. </li>
  473. <li class="md-nav__item">
  474. <a href="../../guides/getallsecrets/" class="md-nav__link">
  475. <span class="md-ellipsis">
  476. Find Secrets by Name or Metadata
  477. </span>
  478. </a>
  479. </li>
  480. <li class="md-nav__item">
  481. <a href="../../guides/datafrom-rewrite/" class="md-nav__link">
  482. <span class="md-ellipsis">
  483. Rewriting Keys
  484. </span>
  485. </a>
  486. </li>
  487. <li class="md-nav__item md-nav__item--nested">
  488. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_2_4" >
  489. <label class="md-nav__link" for="__nav_3_2_4" id="__nav_3_2_4_label" tabindex="0">
  490. <span class="md-ellipsis">
  491. Advanced Templating
  492. </span>
  493. <span class="md-nav__icon md-icon"></span>
  494. </label>
  495. <nav class="md-nav" data-md-level="3" aria-labelledby="__nav_3_2_4_label" aria-expanded="false">
  496. <label class="md-nav__title" for="__nav_3_2_4">
  497. <span class="md-nav__icon md-icon"></span>
  498. Advanced Templating
  499. </label>
  500. <ul class="md-nav__list" data-md-scrollfix>
  501. <li class="md-nav__item">
  502. <a href="../../guides/templating/" class="md-nav__link">
  503. <span class="md-ellipsis">
  504. v2
  505. </span>
  506. </a>
  507. </li>
  508. <li class="md-nav__item">
  509. <a href="../../guides/templating-v1/" class="md-nav__link">
  510. <span class="md-ellipsis">
  511. v1
  512. </span>
  513. </a>
  514. </li>
  515. </ul>
  516. </nav>
  517. </li>
  518. <li class="md-nav__item">
  519. <a href="../../guides/common-k8s-secret-types/" class="md-nav__link">
  520. <span class="md-ellipsis">
  521. Kubernetes Secret Types
  522. </span>
  523. </a>
  524. </li>
  525. <li class="md-nav__item">
  526. <a href="../../guides/ownership-deletion-policy/" class="md-nav__link">
  527. <span class="md-ellipsis">
  528. Lifecycle: ownership & deletion
  529. </span>
  530. </a>
  531. </li>
  532. <li class="md-nav__item">
  533. <a href="../../guides/decoding-strategy/" class="md-nav__link">
  534. <span class="md-ellipsis">
  535. Decoding Strategies
  536. </span>
  537. </a>
  538. </li>
  539. <li class="md-nav__item">
  540. <a href="../../guides/controller-class/" class="md-nav__link">
  541. <span class="md-ellipsis">
  542. Controller Classes
  543. </span>
  544. </a>
  545. </li>
  546. </ul>
  547. </nav>
  548. </li>
  549. <li class="md-nav__item">
  550. <a href="../../guides/generator/" class="md-nav__link">
  551. <span class="md-ellipsis">
  552. Generators
  553. </span>
  554. </a>
  555. </li>
  556. <li class="md-nav__item">
  557. <a href="../../guides/pushsecrets/" class="md-nav__link">
  558. <span class="md-ellipsis">
  559. Push Secrets
  560. </span>
  561. </a>
  562. </li>
  563. <li class="md-nav__item md-nav__item--nested">
  564. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_5" >
  565. <label class="md-nav__link" for="__nav_3_5" id="__nav_3_5_label" tabindex="0">
  566. <span class="md-ellipsis">
  567. Operations
  568. </span>
  569. <span class="md-nav__icon md-icon"></span>
  570. </label>
  571. <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_5_label" aria-expanded="false">
  572. <label class="md-nav__title" for="__nav_3_5">
  573. <span class="md-nav__icon md-icon"></span>
  574. Operations
  575. </label>
  576. <ul class="md-nav__list" data-md-scrollfix>
  577. <li class="md-nav__item">
  578. <a href="../../guides/multi-tenancy/" class="md-nav__link">
  579. <span class="md-ellipsis">
  580. Multi Tenancy
  581. </span>
  582. </a>
  583. </li>
  584. <li class="md-nav__item">
  585. <a href="../../guides/security-best-practices/" class="md-nav__link">
  586. <span class="md-ellipsis">
  587. Security Best Practices
  588. </span>
  589. </a>
  590. </li>
  591. <li class="md-nav__item">
  592. <a href="../../guides/threat-model/" class="md-nav__link">
  593. <span class="md-ellipsis">
  594. Threat Model
  595. </span>
  596. </a>
  597. </li>
  598. <li class="md-nav__item">
  599. <a href="../../guides/v1beta1/" class="md-nav__link">
  600. <span class="md-ellipsis">
  601. Upgrading to v1beta1
  602. </span>
  603. </a>
  604. </li>
  605. <li class="md-nav__item">
  606. <a href="../../guides/using-latest-image/" class="md-nav__link">
  607. <span class="md-ellipsis">
  608. Using Latest Image
  609. </span>
  610. </a>
  611. </li>
  612. <li class="md-nav__item">
  613. <a href="../../guides/disable-cluster-features/" class="md-nav__link">
  614. <span class="md-ellipsis">
  615. Disable Cluster Features
  616. </span>
  617. </a>
  618. </li>
  619. </ul>
  620. </nav>
  621. </li>
  622. </ul>
  623. </nav>
  624. </li>
  625. <li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested">
  626. <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" checked>
  627. <label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="">
  628. <span class="md-ellipsis">
  629. Provider
  630. </span>
  631. <span class="md-nav__icon md-icon"></span>
  632. </label>
  633. <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="true">
  634. <label class="md-nav__title" for="__nav_4">
  635. <span class="md-nav__icon md-icon"></span>
  636. Provider
  637. </label>
  638. <ul class="md-nav__list" data-md-scrollfix>
  639. <li class="md-nav__item md-nav__item--active">
  640. <input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
  641. <label class="md-nav__link md-nav__link--active" for="__toc">
  642. <span class="md-ellipsis">
  643. AWS Secrets Manager
  644. </span>
  645. <span class="md-nav__icon md-icon"></span>
  646. </label>
  647. <a href="./" class="md-nav__link md-nav__link--active">
  648. <span class="md-ellipsis">
  649. AWS Secrets Manager
  650. </span>
  651. </a>
  652. <nav class="md-nav md-nav--secondary" aria-label="Table of contents">
  653. <label class="md-nav__title" for="__toc">
  654. <span class="md-nav__icon md-icon"></span>
  655. Table of contents
  656. </label>
  657. <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
  658. <li class="md-nav__item">
  659. <a href="#secrets-manager" class="md-nav__link">
  660. <span class="md-ellipsis">
  661. Secrets Manager
  662. </span>
  663. </a>
  664. <nav class="md-nav" aria-label="Secrets Manager">
  665. <ul class="md-nav__list">
  666. <li class="md-nav__item">
  667. <a href="#iam-policy" class="md-nav__link">
  668. <span class="md-ellipsis">
  669. IAM Policy
  670. </span>
  671. </a>
  672. <nav class="md-nav" aria-label="IAM Policy">
  673. <ul class="md-nav__list">
  674. <li class="md-nav__item">
  675. <a href="#permissions-for-pushsecret" class="md-nav__link">
  676. <span class="md-ellipsis">
  677. Permissions for PushSecret
  678. </span>
  679. </a>
  680. </li>
  681. <li class="md-nav__item">
  682. <a href="#additional-settings-for-pushsecret" class="md-nav__link">
  683. <span class="md-ellipsis">
  684. Additional Settings for PushSecret
  685. </span>
  686. </a>
  687. </li>
  688. <li class="md-nav__item">
  689. <a href="#additional-metadata-for-pushsecret" class="md-nav__link">
  690. <span class="md-ellipsis">
  691. Additional Metadata for PushSecret
  692. </span>
  693. </a>
  694. </li>
  695. </ul>
  696. </nav>
  697. </li>
  698. <li class="md-nav__item">
  699. <a href="#json-secret-values" class="md-nav__link">
  700. <span class="md-ellipsis">
  701. JSON Secret Values
  702. </span>
  703. </a>
  704. </li>
  705. <li class="md-nav__item">
  706. <a href="#secret-versions" class="md-nav__link">
  707. <span class="md-ellipsis">
  708. Secret Versions
  709. </span>
  710. </a>
  711. </li>
  712. </ul>
  713. </nav>
  714. </li>
  715. <li class="md-nav__item">
  716. <a href="#aws-authentication" class="md-nav__link">
  717. <span class="md-ellipsis">
  718. AWS Authentication
  719. </span>
  720. </a>
  721. <nav class="md-nav" aria-label="AWS Authentication">
  722. <ul class="md-nav__list">
  723. <li class="md-nav__item">
  724. <a href="#controllers-pod-identity" class="md-nav__link">
  725. <span class="md-ellipsis">
  726. Controller's Pod Identity
  727. </span>
  728. </a>
  729. </li>
  730. <li class="md-nav__item">
  731. <a href="#access-key-id-secret-access-key" class="md-nav__link">
  732. <span class="md-ellipsis">
  733. Access Key ID &amp; Secret Access Key
  734. </span>
  735. </a>
  736. </li>
  737. <li class="md-nav__item">
  738. <a href="#eks-service-account-credentials" class="md-nav__link">
  739. <span class="md-ellipsis">
  740. EKS Service Account credentials
  741. </span>
  742. </a>
  743. </li>
  744. </ul>
  745. </nav>
  746. </li>
  747. <li class="md-nav__item">
  748. <a href="#custom-endpoints" class="md-nav__link">
  749. <span class="md-ellipsis">
  750. Custom Endpoints
  751. </span>
  752. </a>
  753. </li>
  754. </ul>
  755. </nav>
  756. </li>
  757. <li class="md-nav__item">
  758. <a href="../aws-parameter-store/" class="md-nav__link">
  759. <span class="md-ellipsis">
  760. AWS Parameter Store
  761. </span>
  762. </a>
  763. </li>
  764. <li class="md-nav__item">
  765. <a href="../azure-key-vault/" class="md-nav__link">
  766. <span class="md-ellipsis">
  767. Azure Key Vault
  768. </span>
  769. </a>
  770. </li>
  771. <li class="md-nav__item">
  772. <a href="../beyondtrust/" class="md-nav__link">
  773. <span class="md-ellipsis">
  774. BeyondTrust
  775. </span>
  776. </a>
  777. </li>
  778. <li class="md-nav__item">
  779. <a href="../bitwarden-secrets-manager/" class="md-nav__link">
  780. <span class="md-ellipsis">
  781. Bitwarden Secrets Manager
  782. </span>
  783. </a>
  784. </li>
  785. <li class="md-nav__item">
  786. <a href="../chef/" class="md-nav__link">
  787. <span class="md-ellipsis">
  788. Chef
  789. </span>
  790. </a>
  791. </li>
  792. <li class="md-nav__item">
  793. <a href="../conjur/" class="md-nav__link">
  794. <span class="md-ellipsis">
  795. CyberArk Conjur
  796. </span>
  797. </a>
  798. </li>
  799. <li class="md-nav__item">
  800. <a href="../device42/" class="md-nav__link">
  801. <span class="md-ellipsis">
  802. Device42
  803. </span>
  804. </a>
  805. </li>
  806. <li class="md-nav__item">
  807. <a href="../google-secrets-manager/" class="md-nav__link">
  808. <span class="md-ellipsis">
  809. Google Cloud Secret Manager
  810. </span>
  811. </a>
  812. </li>
  813. <li class="md-nav__item">
  814. <a href="../hashicorp-vault/" class="md-nav__link">
  815. <span class="md-ellipsis">
  816. HashiCorp Vault
  817. </span>
  818. </a>
  819. </li>
  820. <li class="md-nav__item">
  821. <a href="../kubernetes/" class="md-nav__link">
  822. <span class="md-ellipsis">
  823. Kubernetes
  824. </span>
  825. </a>
  826. </li>
  827. <li class="md-nav__item">
  828. <a href="../ibm-secrets-manager/" class="md-nav__link">
  829. <span class="md-ellipsis">
  830. IBM Secrets Manager
  831. </span>
  832. </a>
  833. </li>
  834. <li class="md-nav__item">
  835. <a href="../akeyless/" class="md-nav__link">
  836. <span class="md-ellipsis">
  837. Akeyless
  838. </span>
  839. </a>
  840. </li>
  841. <li class="md-nav__item">
  842. <a href="../yandex-certificate-manager/" class="md-nav__link">
  843. <span class="md-ellipsis">
  844. Yandex Certificate Manager
  845. </span>
  846. </a>
  847. </li>
  848. <li class="md-nav__item">
  849. <a href="../yandex-lockbox/" class="md-nav__link">
  850. <span class="md-ellipsis">
  851. Yandex Lockbox
  852. </span>
  853. </a>
  854. </li>
  855. <li class="md-nav__item">
  856. <a href="../alibaba/" class="md-nav__link">
  857. <span class="md-ellipsis">
  858. Alibaba Cloud
  859. </span>
  860. </a>
  861. </li>
  862. <li class="md-nav__item">
  863. <a href="../gitlab-variables/" class="md-nav__link">
  864. <span class="md-ellipsis">
  865. GitLab Variables
  866. </span>
  867. </a>
  868. </li>
  869. <li class="md-nav__item">
  870. <a href="../oracle-vault/" class="md-nav__link">
  871. <span class="md-ellipsis">
  872. Oracle Vault
  873. </span>
  874. </a>
  875. </li>
  876. <li class="md-nav__item">
  877. <a href="../1password-automation/" class="md-nav__link">
  878. <span class="md-ellipsis">
  879. 1Password Secrets Automation
  880. </span>
  881. </a>
  882. </li>
  883. <li class="md-nav__item">
  884. <a href="../webhook/" class="md-nav__link">
  885. <span class="md-ellipsis">
  886. Webhook
  887. </span>
  888. </a>
  889. </li>
  890. <li class="md-nav__item">
  891. <a href="../fake/" class="md-nav__link">
  892. <span class="md-ellipsis">
  893. Fake
  894. </span>
  895. </a>
  896. </li>
  897. <li class="md-nav__item">
  898. <a href="../senhasegura-dsm/" class="md-nav__link">
  899. <span class="md-ellipsis">
  900. senhasegura DevOps Secrets Management (DSM)
  901. </span>
  902. </a>
  903. </li>
  904. <li class="md-nav__item">
  905. <a href="../doppler/" class="md-nav__link">
  906. <span class="md-ellipsis">
  907. Doppler
  908. </span>
  909. </a>
  910. </li>
  911. <li class="md-nav__item">
  912. <a href="../keeper-security/" class="md-nav__link">
  913. <span class="md-ellipsis">
  914. Keeper Security
  915. </span>
  916. </a>
  917. </li>
  918. <li class="md-nav__item">
  919. <a href="../cloak/" class="md-nav__link">
  920. <span class="md-ellipsis">
  921. Cloak End 2 End Encrypted Secrets
  922. </span>
  923. </a>
  924. </li>
  925. <li class="md-nav__item">
  926. <a href="../scaleway/" class="md-nav__link">
  927. <span class="md-ellipsis">
  928. Scaleway
  929. </span>
  930. </a>
  931. </li>
  932. <li class="md-nav__item">
  933. <a href="../delinea/" class="md-nav__link">
  934. <span class="md-ellipsis">
  935. Delinea
  936. </span>
  937. </a>
  938. </li>
  939. <li class="md-nav__item">
  940. <a href="../secretserver/" class="md-nav__link">
  941. <span class="md-ellipsis">
  942. Secret Server
  943. </span>
  944. </a>
  945. </li>
  946. <li class="md-nav__item">
  947. <a href="../passbolt/" class="md-nav__link">
  948. <span class="md-ellipsis">
  949. Passbolt
  950. </span>
  951. </a>
  952. </li>
  953. <li class="md-nav__item">
  954. <a href="../pulumi/" class="md-nav__link">
  955. <span class="md-ellipsis">
  956. Pulumi ESC
  957. </span>
  958. </a>
  959. </li>
  960. <li class="md-nav__item">
  961. <a href="../onboardbase/" class="md-nav__link">
  962. <span class="md-ellipsis">
  963. Onboardbase
  964. </span>
  965. </a>
  966. </li>
  967. <li class="md-nav__item">
  968. <a href="../../provider-passworddepot/" class="md-nav__link">
  969. <span class="md-ellipsis">
  970. Password Depot
  971. </span>
  972. </a>
  973. </li>
  974. <li class="md-nav__item">
  975. <a href="../fortanix/" class="md-nav__link">
  976. <span class="md-ellipsis">
  977. Fortanix
  978. </span>
  979. </a>
  980. </li>
  981. <li class="md-nav__item">
  982. <a href="../infisical/" class="md-nav__link">
  983. <span class="md-ellipsis">
  984. Infisical
  985. </span>
  986. </a>
  987. </li>
  988. <li class="md-nav__item">
  989. <a href="../previder/" class="md-nav__link">
  990. <span class="md-ellipsis">
  991. Previder
  992. </span>
  993. </a>
  994. </li>
  995. </ul>
  996. </nav>
  997. </li>
  998. <li class="md-nav__item md-nav__item--nested">
  999. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_5" >
  1000. <label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
  1001. <span class="md-ellipsis">
  1002. Examples
  1003. </span>
  1004. <span class="md-nav__icon md-icon"></span>
  1005. </label>
  1006. <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
  1007. <label class="md-nav__title" for="__nav_5">
  1008. <span class="md-nav__icon md-icon"></span>
  1009. Examples
  1010. </label>
  1011. <ul class="md-nav__list" data-md-scrollfix>
  1012. <li class="md-nav__item">
  1013. <a href="../../examples/gitops-using-fluxcd/" class="md-nav__link">
  1014. <span class="md-ellipsis">
  1015. FluxCD
  1016. </span>
  1017. </a>
  1018. </li>
  1019. <li class="md-nav__item">
  1020. <a href="../../examples/anchore-engine-credentials/" class="md-nav__link">
  1021. <span class="md-ellipsis">
  1022. Anchore Engine
  1023. </span>
  1024. </a>
  1025. </li>
  1026. <li class="md-nav__item">
  1027. <a href="../../examples/jenkins-kubernetes-credentials/" class="md-nav__link">
  1028. <span class="md-ellipsis">
  1029. Jenkins
  1030. </span>
  1031. </a>
  1032. </li>
  1033. <li class="md-nav__item">
  1034. <a href="../../examples/bitwarden/" class="md-nav__link">
  1035. <span class="md-ellipsis">
  1036. BitWarden
  1037. </span>
  1038. </a>
  1039. </li>
  1040. </ul>
  1041. </nav>
  1042. </li>
  1043. <li class="md-nav__item md-nav__item--nested">
  1044. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6" >
  1045. <label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
  1046. <span class="md-ellipsis">
  1047. Community
  1048. </span>
  1049. <span class="md-nav__icon md-icon"></span>
  1050. </label>
  1051. <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
  1052. <label class="md-nav__title" for="__nav_6">
  1053. <span class="md-nav__icon md-icon"></span>
  1054. Community
  1055. </label>
  1056. <ul class="md-nav__list" data-md-scrollfix>
  1057. <li class="md-nav__item md-nav__item--nested">
  1058. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6_1" >
  1059. <label class="md-nav__link" for="__nav_6_1" id="__nav_6_1_label" tabindex="0">
  1060. <span class="md-ellipsis">
  1061. Contributing
  1062. </span>
  1063. <span class="md-nav__icon md-icon"></span>
  1064. </label>
  1065. <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_6_1_label" aria-expanded="false">
  1066. <label class="md-nav__title" for="__nav_6_1">
  1067. <span class="md-nav__icon md-icon"></span>
  1068. Contributing
  1069. </label>
  1070. <ul class="md-nav__list" data-md-scrollfix>
  1071. <li class="md-nav__item">
  1072. <a href="../../contributing/devguide/" class="md-nav__link">
  1073. <span class="md-ellipsis">
  1074. Developer guide
  1075. </span>
  1076. </a>
  1077. </li>
  1078. <li class="md-nav__item">
  1079. <a href="../../contributing/process/" class="md-nav__link">
  1080. <span class="md-ellipsis">
  1081. Contributing Process
  1082. </span>
  1083. </a>
  1084. </li>
  1085. <li class="md-nav__item">
  1086. <a href="../../contributing/release/" class="md-nav__link">
  1087. <span class="md-ellipsis">
  1088. Release Process
  1089. </span>
  1090. </a>
  1091. </li>
  1092. <li class="md-nav__item">
  1093. <a href="../../contributing/coc/" class="md-nav__link">
  1094. <span class="md-ellipsis">
  1095. Code of Conduct
  1096. </span>
  1097. </a>
  1098. </li>
  1099. <li class="md-nav__item">
  1100. <a href="../../contributing/roadmap/" class="md-nav__link">
  1101. <span class="md-ellipsis">
  1102. Roadmap
  1103. </span>
  1104. </a>
  1105. </li>
  1106. </ul>
  1107. </nav>
  1108. </li>
  1109. <li class="md-nav__item md-nav__item--nested">
  1110. <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6_2" >
  1111. <label class="md-nav__link" for="__nav_6_2" id="__nav_6_2_label" tabindex="0">
  1112. <span class="md-ellipsis">
  1113. External Resources
  1114. </span>
  1115. <span class="md-nav__icon md-icon"></span>
  1116. </label>
  1117. <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_6_2_label" aria-expanded="false">
  1118. <label class="md-nav__title" for="__nav_6_2">
  1119. <span class="md-nav__icon md-icon"></span>
  1120. External Resources
  1121. </label>
  1122. <ul class="md-nav__list" data-md-scrollfix>
  1123. <li class="md-nav__item">
  1124. <a href="../../eso-talks/" class="md-nav__link">
  1125. <span class="md-ellipsis">
  1126. Talks
  1127. </span>
  1128. </a>
  1129. </li>
  1130. <li class="md-nav__item">
  1131. <a href="../../eso-demos/" class="md-nav__link">
  1132. <span class="md-ellipsis">
  1133. Demos
  1134. </span>
  1135. </a>
  1136. </li>
  1137. <li class="md-nav__item">
  1138. <a href="../../eso-blogs/" class="md-nav__link">
  1139. <span class="md-ellipsis">
  1140. Blogs
  1141. </span>
  1142. </a>
  1143. </li>
  1144. <li class="md-nav__item">
  1145. <a href="../../eso-tools/" class="md-nav__link">
  1146. <span class="md-ellipsis">
  1147. Tools
  1148. </span>
  1149. </a>
  1150. </li>
  1151. </ul>
  1152. </nav>
  1153. </li>
  1154. </ul>
  1155. </nav>
  1156. </li>
  1157. </ul>
  1158. </nav>
  1159. </div>
  1160. </div>
  1161. </div>
  1162. <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
  1163. <div class="md-sidebar__scrollwrap">
  1164. <div class="md-sidebar__inner">
  1165. <nav class="md-nav md-nav--secondary" aria-label="Table of contents">
  1166. <label class="md-nav__title" for="__toc">
  1167. <span class="md-nav__icon md-icon"></span>
  1168. Table of contents
  1169. </label>
  1170. <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
  1171. <li class="md-nav__item">
  1172. <a href="#secrets-manager" class="md-nav__link">
  1173. <span class="md-ellipsis">
  1174. Secrets Manager
  1175. </span>
  1176. </a>
  1177. <nav class="md-nav" aria-label="Secrets Manager">
  1178. <ul class="md-nav__list">
  1179. <li class="md-nav__item">
  1180. <a href="#iam-policy" class="md-nav__link">
  1181. <span class="md-ellipsis">
  1182. IAM Policy
  1183. </span>
  1184. </a>
  1185. <nav class="md-nav" aria-label="IAM Policy">
  1186. <ul class="md-nav__list">
  1187. <li class="md-nav__item">
  1188. <a href="#permissions-for-pushsecret" class="md-nav__link">
  1189. <span class="md-ellipsis">
  1190. Permissions for PushSecret
  1191. </span>
  1192. </a>
  1193. </li>
  1194. <li class="md-nav__item">
  1195. <a href="#additional-settings-for-pushsecret" class="md-nav__link">
  1196. <span class="md-ellipsis">
  1197. Additional Settings for PushSecret
  1198. </span>
  1199. </a>
  1200. </li>
  1201. <li class="md-nav__item">
  1202. <a href="#additional-metadata-for-pushsecret" class="md-nav__link">
  1203. <span class="md-ellipsis">
  1204. Additional Metadata for PushSecret
  1205. </span>
  1206. </a>
  1207. </li>
  1208. </ul>
  1209. </nav>
  1210. </li>
  1211. <li class="md-nav__item">
  1212. <a href="#json-secret-values" class="md-nav__link">
  1213. <span class="md-ellipsis">
  1214. JSON Secret Values
  1215. </span>
  1216. </a>
  1217. </li>
  1218. <li class="md-nav__item">
  1219. <a href="#secret-versions" class="md-nav__link">
  1220. <span class="md-ellipsis">
  1221. Secret Versions
  1222. </span>
  1223. </a>
  1224. </li>
  1225. </ul>
  1226. </nav>
  1227. </li>
  1228. <li class="md-nav__item">
  1229. <a href="#aws-authentication" class="md-nav__link">
  1230. <span class="md-ellipsis">
  1231. AWS Authentication
  1232. </span>
  1233. </a>
  1234. <nav class="md-nav" aria-label="AWS Authentication">
  1235. <ul class="md-nav__list">
  1236. <li class="md-nav__item">
  1237. <a href="#controllers-pod-identity" class="md-nav__link">
  1238. <span class="md-ellipsis">
  1239. Controller's Pod Identity
  1240. </span>
  1241. </a>
  1242. </li>
  1243. <li class="md-nav__item">
  1244. <a href="#access-key-id-secret-access-key" class="md-nav__link">
  1245. <span class="md-ellipsis">
  1246. Access Key ID &amp; Secret Access Key
  1247. </span>
  1248. </a>
  1249. </li>
  1250. <li class="md-nav__item">
  1251. <a href="#eks-service-account-credentials" class="md-nav__link">
  1252. <span class="md-ellipsis">
  1253. EKS Service Account credentials
  1254. </span>
  1255. </a>
  1256. </li>
  1257. </ul>
  1258. </nav>
  1259. </li>
  1260. <li class="md-nav__item">
  1261. <a href="#custom-endpoints" class="md-nav__link">
  1262. <span class="md-ellipsis">
  1263. Custom Endpoints
  1264. </span>
  1265. </a>
  1266. </li>
  1267. </ul>
  1268. </nav>
  1269. </div>
  1270. </div>
  1271. </div>
  1272. <div class="md-content" data-md-component="content">
  1273. <article class="md-content__inner md-typeset">
  1274. <h1>AWS Secrets Manager</h1>
  1275. <p><img alt="aws sm" src="../../pictures/eso-az-kv-aws-sm.png" /></p>
  1276. <h2 id="secrets-manager">Secrets Manager</h2>
  1277. <p>A <code>SecretStore</code> points to AWS Secrets Manager in a certain account within a
  1278. defined region. You should define Roles that define fine-grained access to
  1279. individual secrets and pass them to ESO using <code>spec.provider.aws.role</code>. This
  1280. way users of the <code>SecretStore</code> can only access the secrets necessary.</p>
  1281. <p><div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
  1282. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
  1283. <span class="nt">metadata</span><span class="p">:</span>
  1284. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">aws-secretsmanager</span>
  1285. <span class="nt">spec</span><span class="p">:</span>
  1286. <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
  1287. <span class="w"> </span><span class="nt">aws</span><span class="p">:</span>
  1288. <span class="w"> </span><span class="nt">service</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretsManager</span>
  1289. <span class="w"> </span><span class="c1"># define a specific role to limit access</span>
  1290. <span class="w"> </span><span class="c1"># to certain secrets.</span>
  1291. <span class="w"> </span><span class="c1"># role is a optional field that</span>
  1292. <span class="w"> </span><span class="c1"># can be omitted for test purposes</span>
  1293. <span class="w"> </span><span class="nt">role</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">arn:aws:iam::123456789012:role/external-secrets</span>
  1294. <span class="w"> </span><span class="nt">region</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eu-central-1</span>
  1295. <span class="w"> </span><span class="nt">auth</span><span class="p">:</span>
  1296. <span class="w"> </span><span class="nt">secretRef</span><span class="p">:</span>
  1297. <span class="w"> </span><span class="nt">accessKeyIDSecretRef</span><span class="p">:</span>
  1298. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">awssm-secret</span>
  1299. <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">access-key</span>
  1300. <span class="w"> </span><span class="nt">secretAccessKeySecretRef</span><span class="p">:</span>
  1301. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">awssm-secret</span>
  1302. <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret-access-key</span>
  1303. </code></pre></div>
  1304. <strong>NOTE:</strong> In case of a <code>ClusterSecretStore</code>, Be sure to provide <code>namespace</code> in <code>accessKeyIDSecretRef</code> and <code>secretAccessKeySecretRef</code> with the namespaces where the secrets reside.</p>
  1305. <h3 id="iam-policy">IAM Policy</h3>
  1306. <p>Create a IAM Policy to pin down access to secrets matching <code>dev-*</code>.</p>
  1307. <div class="highlight"><pre><span></span><code><span class="p">{</span>
  1308. <span class="w"> </span><span class="nt">&quot;Version&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;2012-10-17&quot;</span><span class="p">,</span>
  1309. <span class="w"> </span><span class="nt">&quot;Statement&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
  1310. <span class="w"> </span><span class="p">{</span>
  1311. <span class="w"> </span><span class="nt">&quot;Effect&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Allow&quot;</span><span class="p">,</span>
  1312. <span class="w"> </span><span class="nt">&quot;Action&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
  1313. <span class="w"> </span><span class="s2">&quot;secretsmanager:GetResourcePolicy&quot;</span><span class="p">,</span>
  1314. <span class="w"> </span><span class="s2">&quot;secretsmanager:GetSecretValue&quot;</span><span class="p">,</span>
  1315. <span class="w"> </span><span class="s2">&quot;secretsmanager:DescribeSecret&quot;</span><span class="p">,</span>
  1316. <span class="w"> </span><span class="s2">&quot;secretsmanager:ListSecretVersionIds&quot;</span>
  1317. <span class="w"> </span><span class="p">],</span>
  1318. <span class="w"> </span><span class="nt">&quot;Resource&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
  1319. <span class="w"> </span><span class="s2">&quot;arn:aws:secretsmanager:us-west-2:111122223333:secret:dev-*&quot;</span>
  1320. <span class="w"> </span><span class="p">]</span>
  1321. <span class="w"> </span><span class="p">}</span>
  1322. <span class="w"> </span><span class="p">]</span>
  1323. <span class="p">}</span>
  1324. </code></pre></div>
  1325. <h4 id="permissions-for-pushsecret">Permissions for PushSecret</h4>
  1326. <p>If you're planning to use <code>PushSecret</code>, ensure you also have the following permissions in your IAM policy:</p>
  1327. <div class="highlight"><pre><span></span><code><span class="p">{</span>
  1328. <span class="w"> </span><span class="nt">&quot;Effect&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Allow&quot;</span><span class="p">,</span>
  1329. <span class="w"> </span><span class="nt">&quot;Action&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
  1330. <span class="w"> </span><span class="s2">&quot;secretsmanager:CreateSecret&quot;</span><span class="p">,</span>
  1331. <span class="w"> </span><span class="s2">&quot;secretsmanager:PutSecretValue&quot;</span><span class="p">,</span>
  1332. <span class="w"> </span><span class="s2">&quot;secretsmanager:TagResource&quot;</span><span class="p">,</span>
  1333. <span class="w"> </span><span class="s2">&quot;secretsmanager:DeleteSecret&quot;</span>
  1334. <span class="w"> </span><span class="p">],</span>
  1335. <span class="w"> </span><span class="nt">&quot;Resource&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
  1336. <span class="w"> </span><span class="s2">&quot;arn:aws:secretsmanager:us-west-2:111122223333:secret:dev-*&quot;</span>
  1337. <span class="w"> </span><span class="p">]</span>
  1338. <span class="p">}</span>
  1339. </code></pre></div>
  1340. <p>Here's a more restrictive version of the IAM policy:</p>
  1341. <div class="highlight"><pre><span></span><code><span class="p">{</span>
  1342. <span class="w"> </span><span class="nt">&quot;Version&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;2012-10-17&quot;</span><span class="p">,</span>
  1343. <span class="w"> </span><span class="nt">&quot;Statement&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
  1344. <span class="w"> </span><span class="p">{</span>
  1345. <span class="w"> </span><span class="nt">&quot;Effect&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Allow&quot;</span><span class="p">,</span>
  1346. <span class="w"> </span><span class="nt">&quot;Action&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
  1347. <span class="w"> </span><span class="s2">&quot;secretsmanager:CreateSecret&quot;</span><span class="p">,</span>
  1348. <span class="w"> </span><span class="s2">&quot;secretsmanager:PutSecretValue&quot;</span><span class="p">,</span>
  1349. <span class="w"> </span><span class="s2">&quot;secretsmanager:TagResource&quot;</span>
  1350. <span class="w"> </span><span class="p">],</span>
  1351. <span class="w"> </span><span class="nt">&quot;Resource&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
  1352. <span class="w"> </span><span class="s2">&quot;arn:aws:secretsmanager:us-west-2:111122223333:secret:dev-*&quot;</span>
  1353. <span class="w"> </span><span class="p">]</span>
  1354. <span class="w"> </span><span class="p">},</span>
  1355. <span class="w"> </span><span class="p">{</span>
  1356. <span class="w"> </span><span class="nt">&quot;Effect&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Allow&quot;</span><span class="p">,</span>
  1357. <span class="w"> </span><span class="nt">&quot;Action&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
  1358. <span class="w"> </span><span class="s2">&quot;secretsmanager:DeleteSecret&quot;</span>
  1359. <span class="w"> </span><span class="p">],</span>
  1360. <span class="w"> </span><span class="nt">&quot;Resource&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
  1361. <span class="w"> </span><span class="s2">&quot;arn:aws:secretsmanager:us-west-2:111122223333:secret:dev-*&quot;</span>
  1362. <span class="w"> </span><span class="p">],</span>
  1363. <span class="w"> </span><span class="nt">&quot;Condition&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
  1364. <span class="w"> </span><span class="nt">&quot;StringEquals&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
  1365. <span class="w"> </span><span class="nt">&quot;secretsmanager:ResourceTag/managed-by&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;external-secrets&quot;</span>
  1366. <span class="w"> </span><span class="p">}</span>
  1367. <span class="w"> </span><span class="p">}</span>
  1368. <span class="w"> </span><span class="p">}</span>
  1369. <span class="w"> </span><span class="p">]</span>
  1370. <span class="p">}</span>
  1371. </code></pre></div>
  1372. <p>In this policy, the DeleteSecret action is restricted to secrets that have the specified tag, ensuring that deletion operations are more controlled and in line with the intended management of the secrets.</p>
  1373. <h4 id="additional-settings-for-pushsecret">Additional Settings for PushSecret</h4>
  1374. <p>Additional settings can be set at the <code>SecretStore</code> level to control the behavior of <code>PushSecret</code> when interacting with AWS Secrets Manager.</p>
  1375. <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
  1376. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
  1377. <span class="nt">metadata</span><span class="p">:</span>
  1378. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">aws-secretsmanager</span>
  1379. <span class="nt">spec</span><span class="p">:</span>
  1380. <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
  1381. <span class="w"> </span><span class="nt">aws</span><span class="p">:</span>
  1382. <span class="w"> </span><span class="nt">service</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretsManager</span>
  1383. <span class="w"> </span><span class="nt">role</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">arn:aws:iam::123456789012:role/external-secrets</span>
  1384. <span class="w"> </span><span class="nt">region</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eu-central-1</span>
  1385. <span class="w"> </span><span class="nt">secretsManager</span><span class="p">:</span>
  1386. <span class="w"> </span><span class="c1"># Additional parameters can be added to the AWS Secrets Manager DeleteSecret API call.</span>
  1387. <span class="w"> </span><span class="c1"># These parameters are only relevant when the deletionPolicy is set to Delete.</span>
  1388. <span class="w"> </span><span class="c1"># See: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#API_DeleteSecret_RequestSyntax</span>
  1389. <span class="w"> </span><span class="nt">forceDeleteWithoutRecovery</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
  1390. <span class="w"> </span><span class="c1"># recoveryWindowInDays: 9 (conflicts with forceDeleteWithoutRecovery)</span>
  1391. </code></pre></div>
  1392. <h4 id="additional-metadata-for-pushsecret">Additional Metadata for PushSecret</h4>
  1393. <p>It's possible to configure AWS Secrets Manager to either push secrets in <code>binary</code> format or as plain <code>string</code>.</p>
  1394. <p>To control this behaviour set the following provider metadata:</p>
  1395. <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
  1396. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecret</span>
  1397. <span class="nt">metadata</span><span class="p">:</span>
  1398. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pushsecret-example</span><span class="w"> </span><span class="c1"># Customisable</span>
  1399. <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">teamb</span><span class="w"> </span><span class="c1"># Same of the SecretStores</span>
  1400. <span class="nt">spec</span><span class="p">:</span>
  1401. <span class="w"> </span><span class="nt">deletionPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Delete</span>
  1402. <span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">10s</span><span class="w"> </span><span class="c1"># Refresh interval for which push secret will reconcile</span>
  1403. <span class="w"> </span><span class="nt">secretStoreRefs</span><span class="p">:</span><span class="w"> </span><span class="c1"># A list of secret stores to push secrets to</span>
  1404. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">teamb-secret-store</span>
  1405. <span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
  1406. <span class="w"> </span><span class="nt">selector</span><span class="p">:</span>
  1407. <span class="w"> </span><span class="nt">secret</span><span class="p">:</span>
  1408. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-secret</span><span class="w"> </span><span class="c1"># Source Kubernetes secret to be pushed</span>
  1409. <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
  1410. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">match</span><span class="p">:</span>
  1411. <span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">key1</span><span class="w"> </span><span class="c1"># Source Kubernetes secret key to be pushed</span>
  1412. <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
  1413. <span class="w"> </span><span class="nt">remoteKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">teamb-my-first-parameter-3</span><span class="w"> </span><span class="c1"># Remote reference (where the secret is going to be pushed)</span>
  1414. <span class="w"> </span><span class="nt">metadata</span><span class="p">:</span>
  1415. <span class="w"> </span><span class="nt">secretPushFormat</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">string</span>
  1416. </code></pre></div>
  1417. <p><code>secretPushFormat</code> takes two options. <code>binary</code> and <code>string</code>, where <code>binary</code> is the <em>default</em>.</p>
  1418. <h3 id="json-secret-values">JSON Secret Values</h3>
  1419. <p>SecretsManager supports <em>simple</em> key/value pairs that are stored as json. If you use the API you can store more complex JSON objects. You can access nested values or arrays using <a href="https://github.com/tidwall/gjson/blob/master/SYNTAX.md">gjson syntax</a>:</p>
  1420. <p>Consider the following JSON object that is stored in the SecretsManager key <code>friendslist</code>:
  1421. <div class="highlight"><pre><span></span><code><span class="p">{</span>
  1422. <span class="w"> </span><span class="nt">&quot;name&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nt">&quot;first&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Tom&quot;</span><span class="p">,</span><span class="w"> </span><span class="nt">&quot;last&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Anderson&quot;</span><span class="p">},</span>
  1423. <span class="w"> </span><span class="nt">&quot;friends&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
  1424. <span class="w"> </span><span class="p">{</span><span class="nt">&quot;first&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Dale&quot;</span><span class="p">,</span><span class="w"> </span><span class="nt">&quot;last&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Murphy&quot;</span><span class="p">},</span>
  1425. <span class="w"> </span><span class="p">{</span><span class="nt">&quot;first&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Roger&quot;</span><span class="p">,</span><span class="w"> </span><span class="nt">&quot;last&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Craig&quot;</span><span class="p">},</span>
  1426. <span class="w"> </span><span class="p">{</span><span class="nt">&quot;first&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Jane&quot;</span><span class="p">,</span><span class="w"> </span><span class="nt">&quot;last&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Murphy&quot;</span><span class="p">}</span>
  1427. <span class="w"> </span><span class="p">]</span>
  1428. <span class="p">}</span>
  1429. </code></pre></div></p>
  1430. <p>This is an example on how you would look up nested keys in the above json object:</p>
  1431. <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
  1432. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
  1433. <span class="nt">metadata</span><span class="p">:</span>
  1434. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example</span>
  1435. <span class="nt">spec</span><span class="p">:</span>
  1436. <span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1m</span>
  1437. <span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span>
  1438. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">aws-secretsmanager</span>
  1439. <span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
  1440. <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
  1441. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">friends</span>
  1442. <span class="w"> </span><span class="nt">creationPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Owner</span>
  1443. <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
  1444. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my_name</span>
  1445. <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
  1446. <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">friendslist</span>
  1447. <span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">name.first</span><span class="w"> </span><span class="c1"># Tom</span>
  1448. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">first_friend</span>
  1449. <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
  1450. <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">friendslist</span>
  1451. <span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">friends.1.first</span><span class="w"> </span><span class="c1"># Roger</span>
  1452. <span class="w"> </span><span class="c1"># metadataPolicy to fetch all the labels in JSON format</span>
  1453. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">tags</span>
  1454. <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
  1455. <span class="w"> </span><span class="nt">metadataPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Fetch</span><span class="w"> </span>
  1456. <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>
  1457. <span class="w"> </span><span class="c1"># metadataPolicy to fetch a specific label (dev) from the source secret</span>
  1458. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">developer</span>
  1459. <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
  1460. <span class="w"> </span><span class="nt">metadataPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Fetch</span><span class="w"> </span>
  1461. <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>
  1462. <span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">dev</span>
  1463. </code></pre></div>
  1464. <h3 id="secret-versions">Secret Versions</h3>
  1465. <p>SecretsManager creates a new version of a secret every time it is updated. The secret version can be reference in two ways, the <code>VersionStage</code> and the <code>VersionId</code>. The <code>VersionId</code> is a unique uuid which is generated every time the secret changes. This id is immutable and will always refer to the same secret data. The <code>VersionStage</code> is an alias to a <code>VersionId</code>, and can refer to different secret data as the secret is updated. By default, SecretsManager will add the version stages <code>AWSCURRENT</code> and <code>AWSPREVIOUS</code> to every secret, but other stages can be created via the <a href="https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/update-secret-version-stage.html">update-secret-version-stage</a> api.</p>
  1466. <p>The <code>version</code> field on the <code>remoteRef</code> of the ExternalSecret will normally consider the version to be a <code>VersionStage</code>, but if the field is prefixed with <code>uuid/</code>, then the version will be considered a <code>VersionId</code>.</p>
  1467. <p>So in this example, the operator will request the same secret with different versions: <code>AWSCURRENT</code> and <code>AWSPREVIOUS</code>:</p>
  1468. <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
  1469. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
  1470. <span class="nt">metadata</span><span class="p">:</span>
  1471. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">versioned-api-key</span>
  1472. <span class="nt">spec</span><span class="p">:</span>
  1473. <span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1h</span>
  1474. <span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span>
  1475. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">aws-secretsmanager</span>
  1476. <span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
  1477. <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
  1478. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">versioned-api-key</span>
  1479. <span class="w"> </span><span class="nt">creationPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Owner</span>
  1480. <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
  1481. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">previous-api-key</span>
  1482. <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
  1483. <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;production/api-key&quot;</span>
  1484. <span class="w"> </span><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;AWSPREVIOUS&quot;</span>
  1485. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">current-api-key</span>
  1486. <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
  1487. <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;production/api-key&quot;</span>
  1488. <span class="w"> </span><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;AWSCURRENT&quot;</span>
  1489. </code></pre></div>
  1490. <p>While in this example, the operator will request the secret with <code>VersionId</code> as <code>abcd-1234</code></p>
  1491. <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
  1492. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
  1493. <span class="nt">metadata</span><span class="p">:</span>
  1494. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">versioned-api-key</span>
  1495. <span class="nt">spec</span><span class="p">:</span>
  1496. <span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1h</span>
  1497. <span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span>
  1498. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">aws-secretsmanager</span>
  1499. <span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
  1500. <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
  1501. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">versioned-api-key</span>
  1502. <span class="w"> </span><span class="nt">creationPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Owner</span>
  1503. <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
  1504. <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">api-key</span>
  1505. <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
  1506. <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;production/api-key&quot;</span>
  1507. <span class="w"> </span><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;uuid/123e4567-e89b-12d3-a456-426614174000&quot;</span>
  1508. </code></pre></div>
  1509. <h2 id="aws-authentication">AWS Authentication</h2>
  1510. <h3 id="controllers-pod-identity">Controller's Pod Identity</h3>
  1511. <p><img alt="Pod Identity Authentication" src="../../pictures/diagrams-provider-aws-auth-pod-identity.png" /></p>
  1512. <p>Note: If you are using Parameter Store replace <code>service: SecretsManager</code> with <code>service: ParameterStore</code> in all examples below.</p>
  1513. <p>This is basicially a zero-configuration authentication method that inherits the credentials from the runtime environment using the <a href="https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default">aws sdk default credential chain</a>.</p>
  1514. <p>You can attach a role to the pod using <a href="https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html">IRSA</a>, <a href="https://github.com/uswitch/kiam">kiam</a> or <a href="https://github.com/jtblin/kube2iam">kube2iam</a>. When no other authentication method is configured in the <code>Kind=Secretstore</code> this role is used to make all API calls against AWS Secrets Manager or SSM Parameter Store.</p>
  1515. <p>Based on the Pod's identity you can do a <code>sts:assumeRole</code> before fetching the secrets to limit access to certain keys in your provider. This is optional.</p>
  1516. <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
  1517. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
  1518. <span class="nt">metadata</span><span class="p">:</span>
  1519. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">team-b-store</span>
  1520. <span class="nt">spec</span><span class="p">:</span>
  1521. <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
  1522. <span class="w"> </span><span class="nt">aws</span><span class="p">:</span>
  1523. <span class="w"> </span><span class="nt">service</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretsManager</span>
  1524. <span class="w"> </span><span class="nt">region</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eu-central-1</span>
  1525. <span class="w"> </span><span class="c1"># optional: do a sts:assumeRole before fetching secrets</span>
  1526. <span class="w"> </span><span class="nt">role</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">team-b</span>
  1527. </code></pre></div>
  1528. <h3 id="access-key-id-secret-access-key">Access Key ID &amp; Secret Access Key</h3>
  1529. <p><img alt="SecretRef" src="../../pictures/diagrams-provider-aws-auth-secret-ref.png" /></p>
  1530. <p>You can store Access Key ID &amp; Secret Access Key in a <code>Kind=Secret</code> and reference it from a SecretStore.</p>
  1531. <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
  1532. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
  1533. <span class="nt">metadata</span><span class="p">:</span>
  1534. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">team-b-store</span>
  1535. <span class="nt">spec</span><span class="p">:</span>
  1536. <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
  1537. <span class="w"> </span><span class="nt">aws</span><span class="p">:</span>
  1538. <span class="w"> </span><span class="nt">service</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretsManager</span>
  1539. <span class="w"> </span><span class="nt">region</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eu-central-1</span>
  1540. <span class="w"> </span><span class="c1"># optional: assume role before fetching secrets</span>
  1541. <span class="w"> </span><span class="nt">role</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">team-b</span>
  1542. <span class="w"> </span><span class="nt">auth</span><span class="p">:</span>
  1543. <span class="w"> </span><span class="nt">secretRef</span><span class="p">:</span>
  1544. <span class="w"> </span><span class="nt">accessKeyIDSecretRef</span><span class="p">:</span>
  1545. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">awssm-secret</span>
  1546. <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">access-key</span>
  1547. <span class="w"> </span><span class="nt">secretAccessKeySecretRef</span><span class="p">:</span>
  1548. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">awssm-secret</span>
  1549. <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret-access-key</span>
  1550. </code></pre></div>
  1551. <p><strong>NOTE:</strong> In case of a <code>ClusterSecretStore</code>, Be sure to provide <code>namespace</code> in <code>accessKeyIDSecretRef</code>, <code>secretAccessKeySecretRef</code> with the namespaces where the secrets reside.</p>
  1552. <h3 id="eks-service-account-credentials">EKS Service Account credentials</h3>
  1553. <p><img alt="Service Account" src="../../pictures/diagrams-provider-aws-auth-service-account.png" /></p>
  1554. <p>This feature lets you use short-lived service account tokens to authenticate with AWS.
  1555. You must have <a href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection">Service Account Volume Projection</a> enabled - it is by default on EKS. See <a href="https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html">EKS guide</a> on how to set up IAM roles for service accounts.</p>
  1556. <p>The big advantage of this approach is that ESO runs without any credentials.</p>
  1557. <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
  1558. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ServiceAccount</span>
  1559. <span class="nt">metadata</span><span class="p">:</span>
  1560. <span class="w"> </span><span class="nt">annotations</span><span class="p">:</span>
  1561. <span class="w"> </span><span class="nt">eks.amazonaws.com/role-arn</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">arn:aws:iam::123456789012:role/team-a</span>
  1562. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-serviceaccount</span>
  1563. <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span>
  1564. </code></pre></div>
  1565. <p>Reference the service account from above in the Secret Store:</p>
  1566. <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
  1567. <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
  1568. <span class="nt">metadata</span><span class="p">:</span>
  1569. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secretstore-sample</span>
  1570. <span class="nt">spec</span><span class="p">:</span>
  1571. <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
  1572. <span class="w"> </span><span class="nt">aws</span><span class="p">:</span>
  1573. <span class="w"> </span><span class="nt">service</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretsManager</span>
  1574. <span class="w"> </span><span class="nt">region</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eu-central-1</span>
  1575. <span class="w"> </span><span class="nt">auth</span><span class="p">:</span>
  1576. <span class="w"> </span><span class="nt">jwt</span><span class="p">:</span>
  1577. <span class="w"> </span><span class="nt">serviceAccountRef</span><span class="p">:</span>
  1578. <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-serviceaccount</span>
  1579. </code></pre></div>
  1580. <p><strong>NOTE:</strong> In case of a <code>ClusterSecretStore</code>, Be sure to provide <code>namespace</code> for <code>serviceAccountRef</code> with the namespace where the service account resides.</p>
  1581. <h2 id="custom-endpoints">Custom Endpoints</h2>
  1582. <p>You can define custom AWS endpoints if you want to use regional, vpc or custom endpoints. See List of endpoints for <a href="https://docs.aws.amazon.com/general/latest/gr/asm.html">Secrets Manager</a>, <a href="https://docs.aws.amazon.com/general/latest/gr/ssm.html">Secure Systems Manager</a> and <a href="https://docs.aws.amazon.com/general/latest/gr/sts.html">Security Token Service</a>.</p>
  1583. <p>Use the following environment variables to point the controller to your custom endpoints. Note: All resources managed by this controller are affected.</p>
  1584. <table>
  1585. <thead>
  1586. <tr>
  1587. <th>ENV VAR</th>
  1588. <th>DESCRIPTION</th>
  1589. </tr>
  1590. </thead>
  1591. <tbody>
  1592. <tr>
  1593. <td>AWS_SECRETSMANAGER_ENDPOINT</td>
  1594. <td>Endpoint for the Secrets Manager Service. The controller uses this endpoint to fetch secrets from AWS Secrets Manager.</td>
  1595. </tr>
  1596. <tr>
  1597. <td>AWS_SSM_ENDPOINT</td>
  1598. <td>Endpoint for the AWS Secure Systems Manager. The controller uses this endpoint to fetch secrets from SSM Parameter Store.</td>
  1599. </tr>
  1600. <tr>
  1601. <td>AWS_STS_ENDPOINT</td>
  1602. <td>Endpoint for the Security Token Service. The controller uses this endpoint when creating a session and when doing <code>assumeRole</code> or <code>assumeRoleWithWebIdentity</code> calls.</td>
  1603. </tr>
  1604. </tbody>
  1605. </table>
  1606. </article>
  1607. </div>
  1608. <script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
  1609. </div>
  1610. </main>
  1611. <img referrerpolicy="no-referrer-when-downgrade" src="https://static.scarf.sh/a.png?x-pxid=6658a9eb-067d-49f1-94f2-b8b00f21451e" />
  1612. <footer class="md-footer">
  1613. <div class="md-footer-meta md-typeset">
  1614. <div class="md-footer-meta__inner md-grid">
  1615. <div class="md-copyright">
  1616. <div class="md-copyright__highlight">
  1617. &copy; 2024 The external-secrets Authors.<br/>
  1618. &copy; 2024 The Linux Foundation. All rights reserved.<br/><br/>
  1619. The Linux Foundation has registered trademarks and uses trademarks.<br/>
  1620. For a list of trademarks of The Linux Foundation, please see our <a href="https://www.linuxfoundation.org/trademark-usage/">Trademark Usage page</a>.
  1621. </div>
  1622. Made with
  1623. <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
  1624. Material for MkDocs
  1625. </a>
  1626. </div>
  1627. </div>
  1628. </div>
  1629. </footer>
  1630. </div>
  1631. <div class="md-dialog" data-md-component="dialog">
  1632. <div class="md-dialog__inner md-typeset"></div>
  1633. </div>
  1634. <script id="__config" type="application/json">{"base": "../..", "features": ["navigation.tabs", "navigation.indexes", "navigation.expand"], "search": "../../assets/javascripts/workers/search.6ce7567c.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": {"provider": "mike"}}</script>
  1635. <script src="../../assets/javascripts/bundle.83f73b43.min.js"></script>
  1636. </body>
  1637. </html>