I've set up External Secrets on an AKS Cluster, pointed to an Azure Key Vault, but my ExternalSecrets won't sync

Question

I'm trying to integrate AKS with Key Vault using the External Secrets operator. I've set up the operator itself using the Helm chart, and I've created a SecretStore resource pointed at a Vault (we'll call it keyvault-demo). However when I attempt to create ExternalSecret resources, the status says SecretSyncedError and provides no meaningful error beyond "could not get secret data from provider".

Here's the YAML for both the SecretStore and the ExternalSecret:

---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: azure-backend
spec:
  provider:
    azurekv:
      tenantId: <REDACTED>
      vaultUrl: "https://<redacted>.vault.azure.net/"
      authType: ServicePrincipal
      authSecretRef:
        clientId:
          name: azure-secret-sp
          key: ClientID
        clientSecret:
          name: azure-secret-sp
          key: ClientSecret

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: azure-example
spec:
  refreshInterval: 15m
  secretStoreRef:
    kind: SecretStore
    name: azure-backend
  target:
    name: azure-secret
  data:
  - secretKey: foobar
    remoteRef:
      key: secret/example-externalsecret-key

I've verified that the names of the Key Vault, the Service Principal, and the secret within the Vault are all correct. What am I missing here??

Answer 1

Seems like your ExternalSecret is missing spec.data[0].remoteRef.property... See this for more info.