What is the best way to integrate AWS Secret Manager with EKS?
I've seen the following solutions, but they don't seem that great to me:
1 Native integration with CSI driver (Complex to intall and you can inject all values in one environment variable using a local disk, you need parser variables when docker run) https://aws.amazon.com/blogs/security/how-to-use-aws-secrets-configuration-provider-with-kubernetes-secrets-store-csi-driver/
2 Execute an script when docker run, get the variables, parse and export (Easy to use, not elegant)
ENV_VAR=$(aws secretsmanager get-secret-value --secret-id $VARIABLE_ID --region us-west-2 | jq --raw-output '.SecretString')
# parse ENV_VAR with code in this line
# Export variables
3 Integrate AWS Secret Manager with the framework for example with Rails (Easy to use, some elegant but it is at the code level ) https://anonoz.github.io/tech/2018/12/29/aws-secrets-in-rails.html
What do you recommend to carry out this integration and why? Do you know another more elegant and easy way?
- Newest
- Most votes
- Most comments
The ASCP CSI Driver is the secure and supported way to pull secrets into your pod. If you treat your secrets as JSON they can be placed on disk in the container and parsed by your application code at startup. If you're just using Docker run, as you mentioned, locally for development you could volume mount a similar file into place from your local disk. This way the application code works the same way in either case.
If you already have OIDC integrated, then you only need to install the driver and configure it, which may only be a two step process if you're using helm. https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_csi_driver.html
Hope that helps! -Ray
Relevant content
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a month ago
