Specify location on Secret Store for pushing secrets #3354
Comments
blasrodriguez
added
the
kind/feature
|
Note, this would be something that we would add to the provider metadata section like here for AWS: https://external-secrets.io/latest/provider/aws-secrets-manager/#additional-metadata-for-pushsecret The metadata |
|
Yes, something like that would be great! |
|
Can you provide information on how to define a region? Is it just |
|
So something like |
|
It's defined in replication config. Take a look at terraform resource for this kind of secrets: |
|
@blasrodriguez quick question... I was thinking about where to put this setting. And I was thinking it should maybe be on the store rather than on a per/push basis? Since if your whole store is location based, it would be a bit redundant to also define it on the push secret? |
|
@Skarlso I totally agree with you. The store is the place. We have another suggestion for pusing secrets not related to the location. Currently, if the secret exists and it's not managed by external secret it's impossible to replace the content. We have a use case that needs to change this behaviour, shall we open another issue? |
|
What you are looking for is apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
name: pushsecret-example # Customisable
namespace: default # Same of the SecretStores
spec:
updatePolicy: Replace # Policy to overwrite existing secrets in the provider on sync
But it's not implemented yet for all providers. |
|
Great! We need it for GCP provider. Do we need to open an issue or it's already on the roadmap? |
|
There is no real roadmap. Things are implemented on a need-to-have basis. Feel free to attempt it though. :) The maintainers are very thin spread with time. |
|
I will, thank you very much for your time |
Just some valid context here 😄 When PushSecrets was designed, the idea was that each Provider configuration would indeed be a SecretStore configuration. Even if it caused to be more redundant (i.e. creating multiple stores to change 1 or 2 configs), as we thought we should keep the PushSecret the most provider agnostic as possible. |
|
I am doing some tests using external-secrets and bumped into the same issue. I agree that the Store should be the place to have this location config (possibly it will be needed for the replication-policy as well - https://cloud.google.com/secret-manager/docs/choosing-replication) |
|
Okay, back on this. I'll do this either today, or tomorrow. |
|
Would you mind testing out my pr? @blasrodriguez |
|
@Skarlso I not sure how to test it. Building the docker image and deploying the helm chart is enough? |
|
Actually, I think every PR builds and publishes it's own version. Let me check. |
|
Should be |
Our company is using External Secrets to push secrets from Kubernetes to Google Secret Manager. However, the security team has implemented a GCP organization policy that restricts writing secrets to a global scope. Secrets must be stored in specific authorized zones. Unfortunately, when using PushSecret with External Secrets, it attempts to write the secret to Secret Manager at a global level. Due to the organization policy, this write operation fails, and the secret remains unsaved.
To address this issue, the ideal solution would be to allow specifying the target zone or region within the SecretStore configuration. This would enable PushSecret to write the secret to one of the authorized zones, complying with the security policy and successfully storing the secret.
The text was updated successfully, but these errors were encountered: