AWS Secrets and Configuration Provider

2 min read

On the AWS Secrets Manager documentation we can find how AWS recommends to integrate it with AWS EKS using ASCP and a Secrets Store CSI Driver

It's installation it's quite straightforward,. we just need to follow the documentation to have it ready. To test it we are going to create a secret on the AWS Secrets Manager using the AWS-CLI:

aws secretsmanager create-secret --name example_rds_password --secret-string "1234"

Once the secret is in place, we will have to create a SecretProviderClass to tell the controller to identify the secret:

apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: example-rds-password
spec:
  provider: aws
  parameters:
    objects: |
        - objectName: "example_rds_password"
          objectType: "secretsmanager"

On the the object that will consume this secret (a Deployment, StatefulSet, Pod...) we just need to reference it as a volume:

      volumes:
        - name: secrets-store
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: example-rds-password

On the Pod, if the ServiceAccount has a IRSA role that allows access to the secret (or the entire cluster is allowed to access it) we will be able to find the secret as a file:

$ cd /mnt
$ ls
secrets-store
$ cd secrets-store
$ ls
example_rds_password
$ cat example_rds_password
1234

We can also use this to retrieve settings from the Parameter Store (Systems Manager) by setting the objectType to ssmparameter:

apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: example-ssm-example
spec:
  provider: aws
  parameters:
    objects: |
        - objectName: "another_example"
          objectType: "ssmparameter"

Posted on 11/11/2021