helm-external-secrets/docs/snippets/aws-sm-push-secret-with-metadata.yaml

apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: pushsecret-example # Customisable
  namespace: teamb # Same of the SecretStores
spec:
  deletionPolicy: Delete
  refreshInterval: 1h # Refresh interval for which push secret will reconcile
  secretStoreRefs: # A list of secret stores to push secrets to
    - name: teamb-secret-store
      kind: SecretStore
  selector:
    secret:
      name: my-secret # Source Kubernetes secret to be pushed
  data:
    - match:
        secretKey: key1 # Source Kubernetes secret key to be pushed
        remoteRef:
          remoteKey: teamb-my-first-parameter-3 # Remote reference (where the secret is going to be pushed)
      metadata:
        apiVersion: kubernetes.external-secrets.io/v1alpha1
        kind: PushSecretMetadata
        spec:
          kmsKeyID: bb123123-b2b0-4f60-ac3a-44a13f0e6b6c # When not set, default to alias/aws/secretsmanager
          secretPushFormat: string # When not set, default to binary
          description: "secret 'managed-by:secret-manager' from 'secret-store:teamb-secret-store'"
          tags:
            secret-store: teamb-secret-store
            refresh-interval: 1h