Nested key reference in secretKey

[edbighead]

Is there a way to specify a nested key in secretKey reference?

vault kv get -version=2 my-app/secrets | jq .data.data > temp.json

{
  "VAR": "xxxx",
  "POSTGRES_BACKUP": {
    "PGDATABASE": "myapp",
    "PGHOST": "my-app.xxx123xxx.us-east-1.rds.amazonaws.com"
  }
}

Having the following block of parameters in SecretProviderClass

  parameters:
    roleName: my-role
    vaultKubernetesMountPath: kubernetes
    objects: |
      - objectName: pghost
        secretPath: my-app/data/secrets?version=2
        secretKey: POSTGRES_BACKUP.PGHOST

Results in error

failed to get secret content "POSTGRES_BACKUP.PGHOST" as string

[edbighead]

Doesn't look like there is a way to do it currently

vault-csi-provider/internal/provider/provider.go

Lines 167 to 170 in 03f657a

	content, ok := data[secretKey].(string)
	if !ok {
	return "", fmt.Errorf("failed to get secret content %q as string", secretKey)
	}

Should this be considered as a feature request or it's not how it should work?

[tomhjp]

Hi @edbighead, you're right that it's not currently supported. I have reservations about completeness and complexity for this feature. What about arbitrary depth keys, or indexing into an array etc. Users are in control of the format of their secrets, so I'm inclined to suggest flattening the structure of secrets instead. I'm happy to leave this open as a feature request for now though, and if there is a lot of support and more use cases from the community, it could end up being implemented in some form.

[edbighead]

thanks @tomhjp, we indeed flattened our secrets structure for vault-csi-provider and went with agent-sidecar-injector combined with secret-templates for nested structures

[tomhjp]

Good point about templates! Consul Template could be an interesting option for this project too, given it's already well established in the agent injector.

[tomhjp]

Closing as I believe this is effectively covered by #91 with that in mind.