Error while creating an AWS Secrets Manager secret

[jonatasbaldin]

Hi there!

Describe the bug:
Not able to create an AWS Secrets Manager secret, got the error:

2020-11-11T12:27:47.7662466Z E1111 12:27:47.765945       1 controller.go:117] controllers/ExternalSecret "msg"="error while reconciling ExternalSecret" "error"="cannot get ExternalSecret data from store: name \"mySecret\": error getting secret value: unknown endpoint, could not resolve endpoint, partition: \"all partitions\", service: \"secretsmanager\", region: \"eu-central-1\"" "externalsecret"={"Namespace":"default","Name":"test-one"}

The following resources were created:

apiVersion: secret-manager.itscontained.io/v1alpha1
kind: SecretStore
metadata:
  name: aws-secret-store
spec:
  aws:
    authSecretRef:
      accessKeyID:
        key: access-key
        name: aws-key
      secretAccessKey:
        key: secret-key
        name: aws-key

apiVersion: secret-manager.itscontained.io/v1alpha1
kind: ExternalSecret
metadata:
  name: test-one
spec:
  data:
  - remoteRef:
      name: mySecret
      property: key1
    secretKey: key1
  storeRef:
    name: aws-secret-store

The Secret used to authenticate on AWS is as follows:

apiVersion: v1
kind: Secret
metadata:
  name: aws-key
data:
  access-key: <redacted>
  secret-key: <redacted>
type: Opaque

The AWS Secrets Manager has the following secret:

$ aws secretsmanager get-secret-value --secret-id mySecret --region eu-central-1

{
    "ARN": "redacted",
    "Name": "mySecret",
    "VersionId": "35645498-8b3a-42bb-9e81-075807822659",
    "SecretString": "{\"key1\":\"value1\"}",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": "2020-11-10T14:35:03.762000+01:00"
}

I'm also used the Administrator user in the AWS authentication to eliminate any possible permission errors.

Expected behavior
Generate a new Secret with the information from AWS Secrets Manager.

Steps to reproduce the bug:

• Install secret-manager via Helm
• Create the resources above and watch the controller logs

Environment details::

• Kubernetes version (e.g. v1.18.9): v1.17.0 (Kind)
• Secret-Manager version (e.g. v0.2.0): v0.3.0
• SecretStore type(e.g. Vault vs AWS SecretManager): AWS Secret Manager
• Install method (e.g. helm or static manifests): Listed above

/kind bug

[sbaier1]

seeing the same issue with IRSA's ambient environment variables. have tried explicitly setting the region as well but it's not working. Interesting that it also happens with explicit access & secret key.

i am assuming it's a problem in the EndpointResolver(?)

(same region by the way)

[sbaier1]

FWIW overriding the endpoint in the env variable works as a workaround (though of course it isn't perfect and the root cause has to be figured out here)

I just set this in the Helm chart

extraEnv:
  - name: AWS_SECRETSMANAGER_ENDPOINT
    value: https://secretsmanager.eu-central-1.amazonaws.com

It still seems like the AWS sdk is having trouble resolving the endpoint based on the region for some reason.