ExternalSecret: Partially load a secret

2 min read | by Jordi Prats

Sometimes we might have a secret stored in the AWS Secrets Manager with multiple properties but we don't really need all the data stored in the secret. We can tell External Secrets Operator to use just a specific key instead of using the whole secret.

Let's assume we have the following data stored using a secret in the AWS Secrets Manager:

{"thisone": "data", "notthisother": "thing"}

If we just want to use the data from the key thisone instead of the whole secret, we can use the property option when defining the .spec.data in the ExternalSecret object:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: demo-secret
spec:
  refreshInterval: 1m
  secretStoreRef:
    name: demo-ss
    kind: SecretStore
  target:
    name: demo-secret
  data:
  - secretKey: secretkey
    remoteRef:
      key: Demo/secret
      property: thisone

This is going to create a key named secretkey with the data coming from the thisone key stored in the Demo/secret secret:

$ kubectl get secret demo-secret -o yaml
apiVersion: v1
data:
  secretkey: ZGF0YQ==
(...)

So, we can use External Secret Operator to unpack a JSON-encoded secret.

Posted on 13/06/2023

ExternalSecret: Partially load a secret

Categories