[Feature Request] Support plain text secrets for AWS Secrets Manager backend #710
Description
Is your feature request related to a problem? Please describe.
AWS Secrets Manager fully supports storing plain text values (not just JSON), but argocd-vault-plugin currently only supports JSON key-value format for AWS backend.
Current Behavior
AVP forces JSON unmarshaling for all AWS Secrets Manager secrets:
https://github.com/argoproj-labs/argocd-vault-plugin/blob/main/pkg/backends/awssecretsmanager.go#L78
This means plain text secrets like "my-password-123" fail with JSON unmarshal error, forcing users to wrap everything in JSON format like {"password": "my-password-123"}.
AWS Secrets Manager Plain Text Support
AWS Secrets Manager natively supports plain text secrets:
# Plain text secrets
aws secretsmanager create-secret \
--name "my-secret" \
--secret-string "admin-user-123" \
--region $AWS_REGIONDescribe the solution you'd like
Add support for retrieving entire secret value when no key is specified or when using a special key like SecretString:
Option 1: No key specified (retrieve entire value)
stringData: password: <path:my-secret> # Returns entire SecretString value
Option 2: Special key SecretString (consistent with existing SecretBinary)
stringData: password: <path:my-secret#SecretString> # Explicitly get entire SecretString
Direct plain text support would:
- Align AWS backend with Azure/GCP behavior
- Simplify secret management for simple use cases
- Reduce migration effort from plain text secrets
- Follow AWS best practices for simple secrets
Describe alternatives you've considered
Many organizations store simple credentials (API keys, tokens, passwords) as plain text in AWS Secrets Manager without JSON wrapping. This is recommended by AWS for simple secrets to avoid unnecessary complexity.
Current workaround requires users to:
- Migrate all plain text secrets to JSON format, or
- Use annotations-based syntax which is more verbose