2 min read | by Jordi Prats
On the AWS Secrets Manager documentation we can find how AWS recommends to integrate it with AWS EKS using ASCP and a Secrets Store CSI Driver
It's installation it's quite straightforward,. we just need to follow the documentation to have it ready. To test it we are going to create a secret on the AWS Secrets Manager using the AWS-CLI:
aws secretsmanager create-secret --name example_rds_password --secret-string "1234"
Once the secret is in place, we will have to create a SecretProviderClass to tell the controller to identify the secret:
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: example-rds-password
spec:
provider: aws
parameters:
objects: |
- objectName: "example_rds_password"
objectType: "secretsmanager"
On the the object that will consume this secret (a Deployment, StatefulSet, Pod...) we just need to reference it as a volume:
volumes:
- name: secrets-store
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: example-rds-password
On the Pod, if the ServiceAccount has a IRSA role that allows access to the secret (or the entire cluster is allowed to access it) we will be able to find the secret as a file:
$ cd /mnt
$ ls
secrets-store
$ cd secrets-store
$ ls
example_rds_password
$ cat example_rds_password
1234
We can also use this to retrieve settings from the Parameter Store (Systems Manager) by setting the objectType to ssmparameter:
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: example-ssm-example
spec:
provider: aws
parameters:
objects: |
- objectName: "another_example"
objectType: "ssmparameter"
Posted on 11/11/2021