What is the best way to integrate AWS Secret Manager with EKS?
I've seen the following solutions, but they don't seem that great to me:
1 Native integration with CSI driver (Complex to intall and you can inject all values in one environment variable using a local disk, you need parser variables when docker run) https://aws.amazon.com/blogs/security/how-to-use-aws-secrets-configuration-provider-with-kubernetes-secrets-store-csi-driver/
2 Execute an script when docker run, get the variables, parse and export (Easy to use, not elegant)
ENV_VAR=$(aws secretsmanager get-secret-value --secret-id $VARIABLE_ID --region us-west-2 | jq --raw-output '.SecretString') # parse ENV_VAR with code in this line # Export variables
3 Integrate AWS Secret Manager with the framework for example with Rails (Easy to use, some elegant but it is at the code level ) https://anonoz.github.io/tech/2018/12/29/aws-secrets-in-rails.html
What do you recommend to carry out this integration and why? Do you know another more elegant and easy way?
The ASCP CSI Driver is the secure and supported way to pull secrets into your pod. If you treat your secrets as JSON they can be placed on disk in the container and parsed by your application code at startup. If you're just using Docker run, as you mentioned, locally for development you could volume mount a similar file into place from your local disk. This way the application code works the same way in either case.
If you already have OIDC integrated, then you only need to install the driver and configure it, which may only be a two step process if you're using helm. https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_csi_driver.html
Hope that helps! -Ray
How can I build a CloudFormation secret out of another secret?Accepted Answerasked 16 days ago
aws-elasticbeanstalk-ec2-role aws-elasticbeanstalk-ec2-role is not authorized to perform: secretsmanager:GetSecretValue although the default role is updated to include policyasked 5 months ago
Authorization header (what about in form parameter?)asked 3 years ago
AWS Api Gateway: how to expose new services automatically?asked 3 months ago
What is the best way to generate a visual diagram of the AWS environment which includes VPC, VPNAccepted Answerasked a year ago
Can i access Secrets Manager from Tomcatasked 2 years ago
Secrets get mounted on pods volume but didn't get created after that. Using AWS csi driver.asked a month ago
AWS Secrets Manager with boto3 in pythonAccepted Answerasked 4 months ago
What is the best way to integrate AWS Secret Manager with EKS?Accepted Answerasked 5 months ago
EKS csi secret store driver not finding SecretProviderClassasked 2 months ago