Please share the steps to integrate AWS Secrets Manager with secrets.yaml file

0

we are running application in EKS Cluster environment. we are having secrets yaml file which includes DB configuration, Snowflake credentials, etc.. we want to move this secrets information to AWS Secret Manager. Could you please share the steps to implement?

1 Answer
0

Hello there,

You can use the AWS Secrets and Configuration Provider (ASCP) for the Kubernetes Secrets Store CSI Driver [1].

You will need to install the Kubernetes Secrets Store CSI Driver, and then install the ASCP. The ASCP uses IAM role for service account (IRSA) by associating an IAM role with a Kubernetes service account to create and manage AWS resources on your behalf [2]. The ASCP retrieves the pod identity and exchanges it for the IAM role. ASCP assumes the IAM role of the pod, which gives it access to the secrets you authorized. The IAM role must have an IAM policy that includes secretsmanager:GetSecretValue and secretsmanager:DescribeSecret permission.

As a prerequisite to enable Kubernetes service accounts to access AWS resources via IRSA, you will need to:

  1. Create an IAM OIDC provider for your cluster – You only need to do this once for a cluster.
  2. Create an IAM role and attach an IAM policy to it with the permissions that your service accounts need – We recommend creating separate roles for each unique collection of permissions that pods need.
  3. Associate an IAM role with a service account – Complete this task for each Kubernetes service account that needs access to AWS resources.
  4. Configure the AWS Security Token Service endpoint type for a service account

Finally, for a tutorial to create and mount a secret in an Amazon EKS pod, refer to [3] and more examples [4].

Lastly, this workshop is a good resource to refer to.

[1] - https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_csi_driver.html#integrating_csi_driver_SecretProviderClass [2] - https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html [3] - https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_csi_driver_tutorial.html [4] - https://github.com/aws/secrets-store-csi-driver-provider-aws/tree/main/examples

answered 15 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions