fix: Expand Permissions for external-secrets IRSA Policy towards AWS Secrets Manager

[aschaber1]

Description

Initial set of permissions (#414) was not sufficient. Checked the source code of the secrets manager implementation of external-secrets and added remaining permissions.

Motivation and Context

There were errors on certain use cases, such as a secret changes and needs to be pushed again.

Breaking Changes

No

How Has This Been Tested?

• I have updated at least one of the examples/* to demonstrate and validate my change(s)
• I have tested and validated these changes using one or more of the provided examples/* projects

• I have executed pre-commit run -a on my pull request

• our setup

[aschaber1]

Some kubectl describe Output:

set secret failed: could not write remote ref password to target secretstore secretsmanager: AccessDeniedException: User: <stripped> is not authorized to perform: secretsmanager:TagResource on resource: my-first-parameter because no identity-based policy allows the secretsmanager:TagResource action

Some Logs:

{
  "level": "error",
  "ts": 1692864427.05778,
  "msg": "Reconciler error",
  "controller": "pushsecret",
  "controllerGroup": "external-secrets.io",
  "controllerKind": "PushSecret",
  "PushSecret": {
    "name": "<stripped>",
    "namespace": "<stripped>"
  },
  "namespace": "<stripped>",
  "name": "<stripped>",
  "reconcileID": "<stripped>",
  "error": "could not write remote ref password to target secretstore secretsmanager: AccessDeniedException: User: <stripped> is not authorized to perform: secretsmanager:PutSecretValue on resource: <stripped> because no identity-based policy allows the secretsmanager:PutSecretValue action\n\tstatus code: 400, request id: <stripped>",
  "stacktrace": "sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.1/pkg/internal/controller/controller.go:324\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.1/pkg/internal/controller/controller.go:265\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.1/pkg/internal/controller/controller.go:226"
}

[aschaber1]

I also managed to update the documentation at external-secrets/external-secrets#2653

[antonbabenko]

This PR is included in version 5.29.2 🎉

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.