Moritz Johner

Looking at the aws-sdk: I think there are multiple problems at play: (1) It appears that the list-secrets call using `tag-key` and `tag-value` is a prefix match, see here: https://docs.aws.amazon.com/sdk-for-go/api/service/secretsmanager/#Filter....

Hey @janpfischer did you try to `kubectl describe es ` ? Fetching a secret with a `-` in it isn't the problem :thinking:. Wild guess: the problem may be in...

IMO we don't need to expose a service, users can use the `kube-apiserver` to trigger an update. It already provides authentication and authorization. A user simply needs to annotate the...

Just to clarify: we're talking about regional unavailability, not a single zone being unavailable, right? AFAIK IBM Secret Manager is a regional service. ESO acts as a caching layer. Even...

Do you have some sort of proxy running between AWS and ESO? The default trust chain is enough to connect with AWS unless there's a man in the middle like...

:thinking: What's the CA of the certificate presented? ESO uses distroless, which comes with a set of CA certificates, see their repo: https://github.com/GoogleContainerTools/distroless I guess it's an issue with Govcloud...

You can mount custom CA certs on the operator, by default golang [looks at these locations](https://go.dev/src/crypto/x509/root_linux.go). People have reported that [this has worked for them](https://github.com/external-secrets/external-secrets/issues/1228#issuecomment-1428731890).

I dug the aws go sdk, it looks like that the `AWS_CA_BUNDLE` should indeed be loaded. I think its worth to investigate why ESO doesn't create the secret. ESO should...

0.9.10 has been released, can someone confirm this is working now? :pray:

I found some time to dig the AWS docs. :warning: We can not use the `serviceAccountRef` based authentication mechanisms on a `(Cluster)SecretStore`. I.e. the following snippet **will not work when...