-
Notifications
You must be signed in to change notification settings - Fork 362
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for AWS Secrets Manager #405
Comments
I am planning to work on this and thinking about how to implement it. Check out the related discussion on slack. I am thinking about two use cases:
Let's first consider use case 1: @hasheddan's proposal was to use a new type I have thought about this for a while and this is my proposal:
A couple of pros/cons to this approach:
@hasheddan and @janwillies, it would be great to have your opinion on that. |
If my understanding is correct this would be a straight forward implementation of the CRUD operations of the Secrets Manager Resource with the exception that the SecretString-value is a reference to a Kubernetes Secret and the actual value is picked up from there. That makes sense to me b/c this way it can benefit from the envelope encryption of Kubernetes secrets. Does that work for you @hasheddan @muvaf? A nitpick: it should be |
I think the case where users don't want to store creds in Kubernetes Meanwhile, I agree that we can have it just like any other managed resource. The difference would be that the data source would be a referenced |
I think this is a great approach - thanks @Knappek! I really like using the regular connection secrets as an intermediary store that can in turn be shipped off to another secret store. I'm curious how many orgs actually have a mandate to ensure credentials are never persisted as a Kubernetes secret at all. If we could get away with using this approach for e.g. provider-vault that would certainly scale better. This way every provider just needs to know how to write a secret, and we can add many decoupled backends that can sync those secrets to secret stores. The alternative - having every provider support every possible secret store in its native code - seems like it would not scale well. |
Add configuration of s3(1), s3control(4), transfer(1), Wafregional(2)…
What problem are you facing?
I want to manage AWS Secrets Manager via crossplane provider-aws, e.g. create, update and delete secrets
How could Crossplane help solve your problem?
Implement a Secrets Manager resource: https://docs.aws.amazon.com/sdk-for-go/v2/api/service/secretsmanager
The text was updated successfully, but these errors were encountered: