Unable to retrieve Env set at the SecretProviderClass about secrets-store-csi-driver-provider-aws HOT 10 CLOSED

I was facing same issue, for me this worked: #30 (comment)

So probably you can try to install driver with these values:

helm upgrade --install csi-secrets-store \
--namespace kube-system secrets-store-csi-driver/secrets-store-csi-driver \
--set grpcSupportedProviders="aws" --set syncSecret.enabled="true"

from secrets-store-csi-driver-provider-aws.

Thanks @shapirov103 and @mehowthe that was in fact the issue for me as well. Note, the secret only "syncs" with k8s secrets after applying the pod/deployment/etc that references it with secretKeyRef. I was confused at first why it wasn't showing up in kubectl get secrets after applying the SecretProviderClass by itself.

from secrets-store-csi-driver-provider-aws.

Same issue here, trying to use secret sync feature:

apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: argo-aws-secrets
spec:
  provider: aws
  secretObjects:
    - secretName: bootstrap-repo-secret-sync
      type: Opaque
      labels:
        "argocd.argoproj.io/secret-type": "repository"
      data:
        - objectName: github-ssp-ssh   
          key: sshPrivateKey
        - objectName: github-ssp-ssh
          key: url 
  parameters:
    objects: | 
      - objectName: "github-ssp-ssh"
        objectType: "secretsmanager"

The behavior is exactly as described in the issue: env reference fails, however volume is mounted successfully when kubernetes secret is not referenced. Secret is not created.
On EKS version 1.19:
AWS provider image: public.ecr.aws/aws-secrets-manager/secrets-store-csi-driver-provider-aws:1.0.r1-10-g1942553-2021.06.04.00.07-linux-amd64
CSI Driver image: k8s.gcr.io/csi-secrets-store/driver:v0.0.23

from secrets-store-csi-driver-provider-aws.

Leaving syncSecret.enabled = false is considered a best practice as per the docs.

from secrets-store-csi-driver-provider-aws.

Same issue here. There appears to be an issue with SecretsManagerSync -- i.e. this test is not passing: https://github.com/aws/secrets-store-csi-driver-provider-aws/blob/main/tests/aws.bats#L136

from secrets-store-csi-driver-provider-aws.

@mehowthe thank you and confirmed, the issue was due to the helm chart value for sync secret was not set. Did not expect the behavior to be "opt-in", however, it is marked as optional, so works as designed.

from secrets-store-csi-driver-provider-aws.

Adding --set grpcSupportedProviders="aws" --set syncSecret.enabled="true" works a treat. It creates the Environment Variable.
However once the secret value is rotated in AWS Secrets Manager, only the file is updated and not the Environment value.

from secrets-store-csi-driver-provider-aws.

@askulkarni2 the docs clearly states - if you don't need it.

from secrets-store-csi-driver-provider-aws.

Adding --set grpcSupportedProviders="aws" --set syncSecret.enabled="true" works a treat. It creates the Environment Variable. However, once the secret value is rotated in AWS Secrets Manager, only the file is updated and not the Environment value.

Even I noticed the same behavior, I had to drop the secret object & roll restart of pods for the new value to show up as ENV. Is there any fix for this?

from secrets-store-csi-driver-provider-aws.

This is indented behavior of the Secret Store Driver, closing.

from secrets-store-csi-driver-provider-aws.