The 2.0.0 Helm chart for ASCP is not able to create secrets as it does not create the secretprovidersyncing-role ClusterRole and secretprovidersyncing-rolebinding ClusterRoleBinding as a dependency

[Muskan-Agrawal07]

Describe the bug
The 2.0.0 Helm chart for ASCP is not able to create secrets as it does not create the secretprovidersyncing-role ClusterRole and secretprovidersyncing-rolebinding ClusterRoleBinding as a dependency

To Reproduce

Steps to reproduce the behavior:

1. Install the ASCP using commands below

helm repo add aws-secrets-manager https://aws.github.io/secrets-store-csi-driver-provider-aws
helm install -n kube-system secrets-provider-aws aws-secrets-manager/secrets-store-csi-driver-provider-aws

2. Create a SecretProviderClass and Deployment

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
    annotations:     
    name: admin-secrets
spec:
    parameters:
      objects: |
        - objectName: "<secret-name>"
          objectType: "secretsmanager"
          jmesPath:
            - path: "username"
              objectAlias: "username"
            - path: "password"
              objectAlias: "password"
      region: us-west-2
    provider: aws
    secretObjects:
    - data:
      - key: username
        objectName: username
      - key: password
        objectName: password
      secretName: my-admin-secrets
      type: Opaque

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-pod-identity-deployment
  labels:
    app: nginx-pod-identity
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx-pod-identity
  template:
    metadata:
      labels:
        app: nginx-pod-identity
    spec:
      serviceAccountName: my-service-account
      volumes:
        - name: secrets-store-inline
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: "admin-secrets"
      containers:
        - name: nginx-pod-identity-deployment
          image: nginx
          ports:
            - containerPort: 80
          volumeMounts:
            - name: secrets-store-inline
              mountPath: "/mnt/secrets-store"
              readOnly: true

3. The secret-provider-driver pod is filled with these logs

I0823 16:41:14.324689       1 reflector.go:424] "pkg/mod/k8s.io/client-go@v0.26.4/tools/cache/reflector.go:169: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:kube-system:secrets-store-csi-driver\" cannot list resource \"secrets\" in API group \"\" at the cluster scope\n"
E0823 16:41:14.324730       1 reflector.go:140] "pkg/mod/k8s.io/client-go@v0.26.4/tools/cache/reflector.go:169: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:kube-system:secrets-store-csi-driver\" cannot list resource \"secrets\" in API group \"\" at the cluster scope\n"

3. The k8s secret is not created because the secretprovidersyncing-role and role binding are not created.

$ k get ClusterRole | grep -i secret                                                 
secretproviderclasses-admin-role                                          2025-08-23T17:07:01Z
secretproviderclasses-role                                                2025-08-23T17:07:01Z
secretproviderclasses-viewer-role                                         2025-08-23T17:07:01Z
secretproviderclasspodstatuses-viewer-role                                2025-08-23T17:07:01Z
secrets-provider-aws-secrets-store-csi-driver-keep-crds                   2025-08-23T17:01:48Z
secrets-provider-aws-secrets-store-csi-driver-provider-aws-cluster-role   2025-08-23T17:07:01Z

As a workaround, I am installing the secrets-store-csi-driver separately and that creates the role and role binding.

helm install -n kube-system csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --set syncSecret.enabled=true
helm install -n kube-system secrets-provider-aws aws-secrets-manager/secrets-store-csi-driver-provider-aws --set secrets-store-csi-driver.install=false

$ k get ClusterRole | grep -i secret                                                                                           
secretproviderclasses-admin-role                                          2025-08-23T17:23:50Z
secretproviderclasses-role                                                2025-08-23T17:23:50Z
secretproviderclasses-viewer-role                                         2025-08-23T17:23:50Z
secretproviderclasspodstatuses-viewer-role                                2025-08-23T17:23:50Z
secretprovidersyncing-role                                                2025-08-23T17:23:50Z
secrets-provider-aws-secrets-store-csi-driver-keep-crds                   2025-08-23T17:01:48Z
secrets-provider-aws-secrets-store-csi-driver-provider-aws-cluster-role   2025-08-23T17:23:59Z

Do you also notice this bug when using a different secrets store provider (Vault/Azure/GCP...)? Yes/No

If yes, the issue is likely with the k8s Secrets Store CSI driver, not the AWS provider. Open an issue in that repo.

Expected behavior
ASCP helm chart to create the secretprovidersyncing role and role binding
Environment:
EKS: v1.33
ASCP Helm chart: secrets-store-csi-driver-provider-aws-2.0.
Additional context
Add any other context about the problem here.
I have tried using --set syncSecret.enabled=true for the helm chart, that doesn't work for me.
helm install -n kube-system csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --set syncSecret.enabled=true

[RafaelMoreira1180778]

Have you, by any chance, checked your resource quotas?
I had the same error and it was the resource quotas maxed out.

[simonmarty]

I'm not aware of any regression between v1 and v2 that could have caused this. Have you checked your resource quotas as mentioned above?

I'm going to move this to a discussion.