argocd-vault-plugin icon indicating copy to clipboard operation
argocd-vault-plugin copied to clipboard

Published 20 hours ago verified publisher icon argoproj-labs

Override AWS_REGION if full secret ARN is used

Open sidewinder12s opened this issue 2 years ago • 1 comments

Is your feature request related to a problem? Please describe. The argocd-vault-plugin's AWS_REGION config is static. You cannot retrieve a secret from a region other than the one that is configured statically.

Describe the solution you'd like If a user provides a full secret ARN, use the region in the ARN to perform the lookup.

Describe alternatives you've considered Could possibly setup secret replication but that has added costs and complexity.

Additional context

The error message AWS throws on this is not great, a generic resource policy permission denied:

An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::<ACCOUNT ID>:assumed-role/my_role is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-west-2:<ACCOUNT ID>:secret:my-secret because no resource-based policy allows the secretsmanager:GetSecretValue action

sidewinder12s avatar Mar 11 '22 23:03 sidewinder12s

I had not noticed this as another possible workaround: https://argocd-vault-plugin.readthedocs.io/en/stable/config/#passing-avp-configuration-as-environment-variables-in-the-app-manifest

sidewinder12s avatar Mar 12 '22 00:03 sidewinder12s

@sidewinder12s were you able to workaround this issue?

werne2j avatar Mar 23 '23 14:03 werne2j

Yes I was able to set the region in the app manifest with the legacy plugins. This was mostly a request for QoL.

sidewinder12s avatar Mar 27 '23 23:03 sidewinder12s

This feature has been released with https://github.com/argoproj-labs/argocd-vault-plugin/releases/tag/v1.15.0

werne2j avatar Jun 24 '23 16:06 werne2j