ProviderConfig externalID should take a secretRef

[anthonynashduco]

What problem are you facing?

We use an external-id to assume through our auth account into other accounts. This value is, and should be treated as, a secret. Currently in the ProviderConfig you can only hard code a value into the resource, which is a problem when they're in gitops.

What could help solve your problem?

Change structure from

spec:
  assumeRoleChain:
  - externalID: <string>

to

spec:
  assumeRoleChain:
  - externalID:
      secretRef:            # Either this
        name: <string>
        namespace: <string>
        key: <string>
      value: <string>       # or this

[cristicalin]

Would love to see this feature added to the aws provider family.

Our use-case involves installing providers and the provider configs through gitops which means the externalID could sometimes be visible and exposed to unauthorized users. Being able to create a secret with external secrets operator or some other secure way to get secrets into the cluster would mitigate this.

We considered the scenario to wrap the creation of the ProviderConfig into it's won XRD but that adds complexity to the code in a way that makes it more difficult to reason about.

To avoid a breaking change I would suggest this format instead:

spec:
  assumeRoleChain:
  - externalID: # Either this
  - externalIDSecretRef: # or this