External Secrets Operator: Using versioned secrets from the AWS Secrets Manager

Kubernetes ExternalSecret Secrets Manager AWS versions

2 min read | by Jordi Prats

When using the AWS Secrets Manager, every time a secret is updated, it creates a new version with a unique uuid. It will also update the VersionStages AWSCURRENT and AWSPREVIOUS to point to the current and the previous version. We can use them with the External Secrets Operator to retrieve the current and the previous version of a secret

To do so, we can use the version field within the remoteRef in order to specify whether we want the AWSCURRENT or the AWSPREVIOUS:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
  name: es-demo-with-latest-ver
    kind: SecretStore
    name: demo-ss
    name: versioned-secrets
  refreshInterval: 1h
  - remoteRef:
      key: /example/key
      property: demo
      version: AWSCURRENT
    secretKey: demo-current
  - remoteRef:
      key: /example/key
      property: demo
      version: AWSPREVIOUS
    secretKey: demo-current

We can specify it's uuid as well, just by prefixing it with uuid/.

Depending on the IAM permissions we have set, it might be mandatory to specify the version, regardless of the default value the call would use:

  "Version": "2012-10-17",
  "Statement": [
          "Action": [
          "Condition": {
              "ForAnyValue:StringEquals": {
                  "secretsmanager:VersionStage": "AWSCURRENT"
          "Effect": "Allow",
          "Resource": "arn:aws:secretsmanager:us-west-2:123456789876:secret:/demo-user-*"

Posted on 11/01/2023