feat: Always include SecretString key for JSON secrets

This allows users to retrieve the raw JSON string value using

useful when you need the entire JSON object as a string rather
than accessing individual JSON keys.

Changes:
- Modified GetSecrets to always include SecretString in returned map
- Updated existing tests to expect SecretString key in JSON results
- Added test case for retrieving valid JSON as raw string
- Updated documentation with example of retrieving JSON as string

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Signed-off-by: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>

Author: vlsi

docs/backends.md

@@ -314,19 +314,22 @@ type: Opaque
 
 ###### Plain Text Secrets
 
-AWS Secrets Manager can store plain text (non-JSON) secrets. To retrieve the entire plain text value, use `SecretString` as the key:
+AWS Secrets Manager can store plain text (non-JSON) secrets. To retrieve the entire secret value as a raw string (whether it's plain text or JSON), use `SecretString` as the key:
 
 ```yaml
 apiVersion: v1
 kind: Secret
 metadata:
   name: aws-example
 stringData:
+  # Plain text secret
   sample-secret: <path:test-plaintext-secret#SecretString>
+  # Or JSON secret as raw string
+  json-as-string: <path:test-json-secret#SecretString>
 type: Opaque
 ```
 
-**Note**: If you need to access the secret value as a single string, use `#SecretString`. If the secret contains JSON, you can access its elements with `#keyName` (e.g., `<path:test-secret#username>`).
+**Note**: Use `#SecretString` to retrieve the raw secret value as a single string. If the secret contains JSON and you want to access individual elements, use `#keyName` (e.g., `<path:test-secret#username>`).
 
 ###### Versioned secrets
 

pkg/backends/awssecretsmanager.go

@@ -83,6 +83,8 @@ func (a *AWSSecretsManager) GetSecrets(path string, version string, annotations
 			dat["SecretString"] = *result.SecretString
 			return dat, nil
 		}
+		// Always include SecretString to allow retrieving raw JSON value
+		dat["SecretString"] = *result.SecretString
 	} else if result.SecretBinary != nil {
 		utils.VerboseToStdErr("Get binary value for %v", path)
 		dat = make(map[string]interface{})

pkg/backends/awssecretsmanager_test.go

@@ -36,6 +36,9 @@ func (m *mockSecretsManagerClient) GetSecretValue(ctx context.Context, input *se
 	case "test-invalid-json":
 		string := "{incomplete json"
 		data.SecretString = &string
+	case "test-json-as-string":
+		string := "{\"username\":\"admin\",\"password\":\"secret123\"}"
+		data.SecretString = &string
 	}
 
 	return data, nil
@@ -51,7 +54,8 @@ func TestAWSSecretManagerGetSecrets(t *testing.T) {
 		}
 
 		expected := map[string]interface{}{
-			"test-secret": "current-value",
+			"test-secret":  "current-value",
+			"SecretString": "{\"test-secret\":\"current-value\"}",
 		}
 
 		if !reflect.DeepEqual(expected, data) {
@@ -79,7 +83,8 @@ func TestAWSSecretManagerGetSecrets(t *testing.T) {
 		}
 
 		expected := map[string]interface{}{
-			"test-secret": "previous-value",
+			"test-secret":  "previous-value",
+			"SecretString": "{\"test-secret\":\"previous-value\"}",
 		}
 
 		if !reflect.DeepEqual(expected, data) {
@@ -159,6 +164,19 @@ func TestAWSSecretManagerGetSecrets(t *testing.T) {
 			t.Errorf("expected: %v, got: %v.", expected, data)
 		}
 	})
+
+	t.Run("Get valid JSON secret as raw string using SecretString key", func(t *testing.T) {
+		secret, err := sm.GetIndividualSecret("test-json-as-string", "SecretString", "", map[string]string{})
+		if err != nil {
+			t.Fatalf("expected 0 errors but got: %s", err)
+		}
+
+		expected := "{\"username\":\"admin\",\"password\":\"secret123\"}"
+
+		if !reflect.DeepEqual(expected, secret) {
+			t.Errorf("expected: %s, got: %s.", expected, secret)
+		}
+	})
 }
 
 func TestAWSSecretManagerEmptyIfNoSecret(t *testing.T) {