storage/velero/external-secret.yaml

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: velero-s3-credentials
  namespace: velero
spec:
  refreshInterval: 1h

  secretStoreRef:
    name: vault-backend
    kind: ClusterSecretStore

  target:
    name: velero-s3-credentials
    creationPolicy: Owner
    template:
      type: Opaque
      data:
        cloud: |
          [default]
          aws_access_key_id={{ .minioAccessKey }}
          aws_secret_access_key={{ .minioSecretKey }}

  data:
    - secretKey: minioAccessKey
      remoteRef:
        key: secret/data/minio
        property: accessKey

    - secretKey: minioSecretKey
      remoteRef:
        key: secret/data/minio
        property: secretKey