2 min read | by Jordi Prats
On the AWS Secrets Manager documentation we can find how AWS recommends to integrate it with AWS EKS using ASCP and a Secrets Store CSI Driver
It's installation it's quite straightforward,. we just need to follow the documentation to have it ready. To test it we are going to create a secret on the AWS Secrets Manager using the AWS-CLI:
aws secretsmanager create-secret --name example_rds_password --secret-string "1234"
Once the secret is in place, we will have to create a SecretProviderClass to tell the controller to identify the secret:
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 kind: SecretProviderClass metadata: name: example-rds-password spec: provider: aws parameters: objects: | - objectName: "example_rds_password" objectType: "secretsmanager"
On the the object that will consume this secret (a Deployment, StatefulSet, Pod...) we just need to reference it as a volume:
volumes: - name: secrets-store csi: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: secretProviderClass: example-rds-password
On the Pod, if the ServiceAccount has a IRSA role that allows access to the secret (or the entire cluster is allowed to access it) we will be able to find the secret as a file:
$ cd /mnt $ ls secrets-store $ cd secrets-store $ ls example_rds_password $ cat example_rds_password 1234
We can also use this to retrieve settings from the Parameter Store (Systems Manager) by setting the objectType to ssmparameter:
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 kind: SecretProviderClass metadata: name: example-ssm-example spec: provider: aws parameters: objects: | - objectName: "another_example" objectType: "ssmparameter"
Posted on 11/11/2021