Managing secrets and environment variables in Amazon EKS (Elastic Kubernetes Service) using AWS Systems Manager (SSM) Parameter Store involves securely storing and retrieving sensitive configuration data without hardcoding them in your application.
Steps to Manage Secrets & Env Variables in EKS Using SSM Parameter Store
1. Store Secrets in AWS SSM Parameter Store
SSM Parameter Store allows you to store values as either:
-
Standard Parameters (Plaintext key-value pairs)
-
SecureString Parameters (Encrypted with AWS KMS)
Create a Secret in SSM Parameter Store
aws ssm put-parameter \
--name "/my-app/database-password" \
--value "SuperSecretPassword123" \
--type "SecureString"
This stores the secret securely using AWS KMS encryption.
2. Grant IAM Permissions to Access SSM Parameter Store
Your EKS worker nodes or the Pods' IAM Role need permission to access the parameters.
Attach the following IAM policy to the role associated with your EKS Pod:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath"
],
"Resource": "arn:aws:ssm:us-east-1:123456789012:parameter/my-app/*"
}
]
}
Replace:
-
us-east-1→ Your AWS region -
123456789012→ Your AWS account ID -
my-app/*→ The parameter path you are using
3. Deploy a Pod in EKS to Use SSM Parameters
You can fetch parameters inside your Kubernetes Pods in two ways:
-
Using AWS SDK in your application
-
Injecting values as environment variables using Kubernetes Secrets
Option 1: Fetch Parameter Using AWS SDK
Modify your application code to fetch secrets at runtime:
import boto3
ssm = boto3.client("ssm", region_name="us-east-1")
response = ssm.get_parameter(Name="/my-app/database-password", WithDecryption=True)
db_password = response['Parameter']['Value']
print(f"Database Password: {db_password}")
Ensure the IAM role attached to the Pod has ssm:GetParameter permission.
Option 2: Inject as Kubernetes Secrets (Recommended)
Instead of fetching secrets in code, create a Kubernetes Secret dynamically.
Step 1: Fetch Secret from SSM and Create a Kubernetes Secret
Run the following script to fetch from SSM and inject it into Kubernetes:
kubectl create secret generic db-secret \
--from-literal=db_password=$(aws ssm get-parameter --name "/my-app/database-password" --with-decryption --query "Parameter.Value" --output text)
Step 2: Use the Secret in a Kubernetes Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
replicas: 1
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
containers:
- name: my-app-container
image: my-app-image
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-secret
key: db_password
The application inside the container can access the secret as an environment variable (DB_PASSWORD).
4. Automate Secret Injection using External Secrets Operator
For dynamic secret management, use the Kubernetes External Secrets operator, which syncs secrets from AWS SSM to Kubernetes.
Install the External Secrets Operator
helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets external-secrets/external-secrets
Create an ExternalSecret Resource
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: my-app-secret
spec:
refreshInterval: "1h"
secretStoreRef:
name: aws-ssm
kind: ClusterSecretStore
target:
name: db-secret
creationPolicy: Owner
data:
- secretKey: db_password
remoteRef:
key: /my-app/database-password
This ensures that the Kubernetes Secret is automatically updated when the SSM Parameter changes.
Conclusion
✅ AWS SSM Parameter Store provides a secure way to store secrets.
✅ Use IAM roles to control access to parameters.
✅ Fetch parameters using AWS SDK or inject them as Kubernetes Secrets.
✅ Use External Secrets Operator for automated sync between SSM and Kubernetes.