Please share the steps to integrate AWS Secrets Manager with secrets.yaml file

Hello there,

You can use the AWS Secrets and Configuration Provider (ASCP) for the Kubernetes Secrets Store CSI Driver [1].

You will need to install the Kubernetes Secrets Store CSI Driver, and then install the ASCP. The ASCP uses IAM role for service account (IRSA) by associating an IAM role with a Kubernetes service account to create and manage AWS resources on your behalf [2]. The ASCP retrieves the pod identity and exchanges it for the IAM role. ASCP assumes the IAM role of the pod, which gives it access to the secrets you authorized. The IAM role must have an IAM policy that includes secretsmanager:GetSecretValue and secretsmanager:DescribeSecret permission.

As a prerequisite to enable Kubernetes service accounts to access AWS resources via IRSA, you will need to:

1. Create an IAM OIDC provider for your cluster – You only need to do this once for a cluster.
2. Create an IAM role and attach an IAM policy to it with the permissions that your service accounts need – We recommend creating separate roles for each unique collection of permissions that pods need.
3. Associate an IAM role with a service account – Complete this task for each Kubernetes service account that needs access to AWS resources.
4. Configure the AWS Security Token Service endpoint type for a service account

Finally, for a tutorial to create and mount a secret in an Amazon EKS pod, refer to [3] and more examples [4].

Lastly, this workshop is a good resource to refer to.

[1] - https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_csi_driver.html#integrating_csi_driver_SecretProviderClass [2] - https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html [3] - https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_csi_driver_tutorial.html [4] - https://github.com/aws/secrets-store-csi-driver-provider-aws/tree/main/examples