Let say I have a custom secret manager that get some inputs to provide the way to access some secret, and an input that is dynamic that gives a reference to the wished secret.

Up to now I can create a secret connected to this secret manager and pass the reference as an input value. Then in the pipeline I can invoke secrets.getValue with that secret and it works fine.

My goal would be to be able to call directly the custom secret manager within the pipeline, passing the dynamic value, instead of having to create a secret.

For example this works with a secret connected to the custom secret manager:

echo '<+secrets.getValue("storefront-ui-env-tmp")>' > env-tmp

But I do not wish to create one secret for each value within the custom secret manager

For example this works also using a call to AWS secret manager:

echo '<+secrets.getValue("awssecretsmanager://aws_discovery_harness")>' | jq -r '.services["travelstorefront"]["storefront-ui"]["env-tmp"]' > .env

But it is a bit too versbose and also logs the full content of the secrets inside the logs, which is clearly not acceptable.

But I would like this:

echo '<secrets.getValue("customsecretsmanager://aws_discovery_harness", {"JSONPATH": ".services.travelstorefront.storefront-ui.env-tmp"})>' > .env