AWS Secrets Manager with EKS
Overview
Store sensitive data in AWS Secrets Manager and access it from EKS pods using IRSA.
Store a Secret
# Create a secret
aws secretsmanager create-secret \
--name my-app/db-password \
--secret-string "supersecretpassword"
# Store JSON secret
aws secretsmanager create-secret \
--name my-app/config \
--secret-string '{"api_key":"xxx","db_host":"db.example.com"}'Create IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:us-west-2:123456789:secret:my-app/*"
}
]
}Create Service Account with IRSA
# Create service account with IRSA
eksctl create iamserviceaccount \
--name my-app \
--namespace default \
--cluster my-cluster \
--attach-role-arn arn:aws:iam::123456789:role/my-app-role \
--approveAccess Secret from Pod
Using CSI Driver
# Install Secrets Manager CSI driver
helm install csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver \
--namespace kube-system
# Install AWS provider
helm install aws-secrets-manager aws-secrets-manager \
--namespace kube-systemSecretProviderClass
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: my-app-secrets
spec:
provider: aws
parameters:
secretArn: arn:aws:secretsmanager:us-west-2:123456789:secret:my-app/db-password
region: us-west-2Use in Pod
apiVersion: v1
kind: Pod
metadata:
name: my-app
spec:
serviceAccountName: my-app
containers:
- name: app
image: my-app
volumeMounts:
- name: secrets
mountPath: /secrets
readOnly: true
volumes:
- name: secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: my-app-secretsSecret Rotation
Enable automatic rotation with Lambda:
# Enable rotation
aws secretsmanager rotate-secret \
--secret-id my-app/db-password \
--rotation-lambda-arn arn:aws:lambda:us-west-2:123456789:function:my-app-rotation