secrets-manager | This library will help you to decouple your application of your secrets provider | AWS library

1- Retrieve metadata information about a Secrets Manager secret, via aws secrets manager data resource

I've solved the issue (typical that it's minutes after posting)

The error states that it's expecting a member with key 'secretId', however it needs to be passed as 'SecretId' - note the uppercase first character

After changing the param passed to the constructor of the command to be the latter key, it now works...

OK - so your question is how to READ a secret. Let's try different tutorials:

Example 1: use SecretsManager (much like your original tutorial is doing):

https://nimblegecko.com/how-to-use-aws-secret-manager-secrets-in-dotnet-core-application/

You have an issue in your role binding I think. When you say this:

kubernetes_serviceaccount called external-secrets-kubernetes-external-secrets was already created when installing kubernetes-external-secrets with helm. and it bind k8s_sa_name &' external-secrets-kubernetes@my-project-id.iam.gserviceaccount.com, which has ["roles/secretmanager.admin","roles/secretmanager.secretAccessor"].

It's unclear.

1. external-secrets-kubernetes@my-project-id.iam.gserviceaccount.com, is created on which project? I guess in prj-application, but not clear.

1. I take the assumption (with the name and the link with the cluster) that the service account is created in the prj-application. you grant the role "roles/secretmanager.admin","roles/secretmanager.secretAccessor" on which resource?

• On the IAM page of the prj-application?
• On the IAM page of the prj-secret?
• On the secretId of the secret in the prj-secret?

If you did the 1st one, it's the wrong binding, the service account can only access to the secret of the prj-application, and not these of prj-secret.

Note, if you only need to access the secret, don't grand the admin role, only the accessor is required.

You are right, it can be further simplified on code side.

Let's say accountA has secrets and accountB is your app account. Current implementation does the following:

• A client is created inside the accountB using accountA credentials (AssumeRole is followed and is a best practice)
• Secrets are fetched and then used.

What could be done:

• Use resource based policy in accountA that let's the IAM User and/or IAM Role in accountB have access to the secrets placed in accountA.
• Update the KMS key policy in accountA for the key that is used to encrypt/decrypt secrets. Let the same IAM User and/or Role have access to that KMS key. So that they can use it.
• Update the IAM Policy for the IAM User and/or Role in accountB, explicitly allowing it to use the secrets and KMS keys of accountA.

Now, you are able to access the secrets using the same IAM User/Role that is used for the app and theoretically spring-cloud-starter-aws-secrets-manager-config should fetch the secrets from accountA as well (I have not tested it for myself).

The least benefit you will get is not creating assumedRole client for different account. More details on AWS Blog

Based on the comments.

"No commands found for phase name: install" is not an error. It is an information message that install phase has no commands.

The issue was due to missing/wrong secret manager secrets. To verify the correct settings have to go to Secret Manger console, them under Secret Name it should write CodeBuild. Next if you Retrieve the secret value, the Secret Key should be AWS_ACCESS_KEY_ID. Same for AWS_SECRET_ACCESS_KEY.

I tried to replicate the issue, but the only thing I found that you should be using --username, not --user. Anyway, here is my buildspec.yml used for the verification:

You're using different versions of spring-boot-starter-parent (2.3.1.RELEASE and 2.3.4.RELEASE) which is probably leading to inconsistent versions where the later or earlier don't have the method. Try using 2.3.4.RELEASE in your application.

[Update]

You're still getting inconsistent versions of org.springframework:* on the classpath:

You don't need to make any changes to the logic of loading the event or the environmental variables.

Think of this way. When rotation occurs, secrets manager will invoke your lambda. That invocation has an event associated with it, which contains the rotation step, SecretId of the secret to be rotated, ClientRequestToken, etc

You don't need to modify that logic.

With regards to the lambda you need to set an environment variable for the secrets manager endpoint - https://docs.aws.amazon.com/lambda/latest/dg//go-programming-model-env-variables.html

• ''https://secretsmanager.region.amazonaws.com' but insert the region you're work with - https://secretsmanager.us-west-2.amazonaws.com for example