Hi Victor,
We were able to reproduce the scenario you suggested successfully.
Additionally, we tried a new approach using AWS Parameter Store instead of S3. In this case, we replaced the "eval" line in secrets-entrypoint.sh to:
eval $( aws --region $AWS_REGION ssm get-parameters-by-path --path $PARAM_ROOT |jq -r '.Parameters|map("export "+(.Name|split("/")|.[-1])+"="+.Value)|.[]')
and instead of "SECRETS_BUCKET_NAME" we passed a "PARAM_ROOT" variable containing the path prefix used in Parameter Store variables to group the desired secret variables.
Parameter Store variables should be in the form "/PARAM_ROOT/VARIABLE_NAME", such as "/prod/SSG_ADMIN_PASSWORD". The above command will retrieve and parse a JSON containing all variables containing "/PARAM_ROOT/" path.
In the Dockerfile, together with the AWS CLI we added the code to install the additional "jq" and "oniguruma" (for jq regex support) dependencies.