Storing a multi-line secret results in strange behavior

I have another use case. I am installing kodiak in EKS and storing sensitive data in secrets that are loaded into k8s via the external-secrets package. When I paste the private PEM data into the SecretsManager UI using the secret key/value selection, it replaced the newlines with spaces. I first tried to replace the newline characters with the "\n" character sequence. When I pasted that version of the PEM data into the Secrets Manager UI at the secret key/value selection, it replaced "\n" with (two backslashes and "n"). I was able to workaround the issue by editing the secret value in the plain text version version of the secret, removing the extra "" from (two backslashes and "n") leaving only "\n" and now the PEM data is interpreted correctly in the k8s secret and then the pod.

I don't know if this answer qualifies as a solution or a workaround, but either way, it works.

Edited by: mrbobfrog on Sep 16, 2021 8:46 PM

I think the answer to my own question is to store the multi-line value in plaintext without any json wrapper.

This breaks the "k/v" view in the GUI and also limits the use of the secret to only a single value, but otherwise seems to work OK.

At 40c a secret this could add some extra to the bill.

Secrets Manager stores content of a secret as a JSON blob. If you use the console to store the secret, Secrets Manager will create key-value pairs that are stored in one JSON blob. Your post did make me wonder why you are storing multiple key-values in a single secret. Storing multiple key values makes it hard to benefit from capabilities such as automatic rotation, fine-grained access control, and detailed auditing/monitoring. DM your use case to me please; we can discuss avenues to meet your use case easily and economically.
--Apurv

Hello Apurv,
Here you are a use case: I need to connect from an AWS EC2 to an on-premise server using SSL and certificate _ private key (the application needs the private key for its work) instead of a user name _ password. Of course I would like to secure both the certificate and the private key. How could I store the content of the certificate and the private key securely in AWS? The form of these credentials is usually multi-line:
-----BEGIN CERTIFICATE-----
ASDF...
....
....
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
QWER...
...
...
-----END PRIVATE KEY-----
and their size sometimes is mote than 1KiB

An alternative could be a certificate, generated by AWS, if I can provide the private key to the application. It seems the public certificates are out of question because they need a proof that I own the domain (and in this case there is no domain involved).

Regards,
Vladi

Looks like the Secrets Manager's UI is broken.

If I edit a secret in the key/value view, the INPUT HTML element that is used for rendering wont display the new-line character. You can see the new-line if you inspect the element, but that's how far you can go. If you do not edit that particular value, the new-line stays in there, but as soon as you perform any change on that entry, new-lines just going to disappear.

If you enter '\n', then it is going to be encoded as '\n', you can see this if you open the plain-text view.

You can use the plain-text view to change '\n' into '\n'. Afterwards, you will get actual newlines when reading the secret, BUT, as the key/value edit view is broken, this approach seems to be way to fragile, if anybody edits the entry, it will just break.