argocd-vault-plugin
argocd-vault-plugin copied to clipboard
Override AWS_REGION if full secret ARN is used
Is your feature request related to a problem? Please describe. The argocd-vault-plugin's AWS_REGION config is static. You cannot retrieve a secret from a region other than the one that is configured statically.
Describe the solution you'd like If a user provides a full secret ARN, use the region in the ARN to perform the lookup.
Describe alternatives you've considered Could possibly setup secret replication but that has added costs and complexity.
Additional context
The error message AWS throws on this is not great, a generic resource policy permission denied:
An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::<ACCOUNT ID>:assumed-role/my_role is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-west-2:<ACCOUNT ID>:secret:my-secret because no resource-based policy allows the secretsmanager:GetSecretValue action
I had not noticed this as another possible workaround: https://argocd-vault-plugin.readthedocs.io/en/stable/config/#passing-avp-configuration-as-environment-variables-in-the-app-manifest
@sidewinder12s were you able to workaround this issue?
Yes I was able to set the region in the app manifest with the legacy plugins. This was mostly a request for QoL.
This feature has been released with https://github.com/argoproj-labs/argocd-vault-plugin/releases/tag/v1.15.0