search

aws / secrets-store-csi-driver-provider-aws

The AWS provider for the Secrets Store CSI Driver allows you to fetch secrets from AWS Secrets Manager and AWS Systems Manager Parameter Store, and mount them into Kubernetes pods.
Apache License 2.0
476 stars 134 forks source link

Continue to fetch secret value even if describe access denied #394

Closed suzaku closed 1 month ago

suzaku commented 2 months ago

Issue #, if available:

Description of changes: Currently, if DescribeSecret is not allowed for one of the secrets, the entire Mount request and the auto rotation would fail. But sometimes secrets might be created with only GetSecret allowed, which is still enough permission to generate a new secret. It would be great to still try fetching secret value even if describe failed because of AccessDenied.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

simonmarty commented 1 month ago

This is intentional design: DescribeSecret does not carry the decryption performance overhead that GetSecretValue does. (see the helper here). We use this as a performance optimization to reduce our server-side load.

Grant DescribeSecret permissions to the identity fetching them in your cluster.