EKS - Secrets Manager

To store secrets in AWS Secrets Manager and use them in an Amazon EKS cluster, follow these steps:

Step 1: Store the Secret in AWS Secrets Manager

First, save a secret in AWS Secrets Manager.

Run this command to create a secret:

aws secretsmanager create-secret --name my-database-secret \
  --secret-string '{"username":"admin","password":"mysecurepassword"}'

Alternatively, you can do this via the AWS Console:

  1. Go to AWS Secrets Manager.

  2. Click Store a new secret.

  3. Select Other type of secret.

  4. Add key-value pairs like:

    • username = admin

    • password = mysecurepassword

  5. Click Next and name the secret (e.g., my-database-secret).

  6. Store the secret.

Step 2: Grant EKS Access to AWS Secrets Manager

To allow your EKS pods to retrieve secrets, you need an IAM role with proper permissions.

1️⃣ Create an IAM Policy for Secrets Manager

Create a policy that grants access to the secret:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-database-secret-*"
        }
    ]
}

Save this as secrets-policy.json, then create the policy:

aws iam create-policy --policy-name SecretsManagerAccess \
  --policy-document file://secrets-policy.json

2️⃣ Attach the Policy to an IAM Role for EKS

If your application is running in EKS, use IAM Roles for Service Accounts (IRSA):

a) Create an OIDC Provider for EKS (if not already set up)

eksctl utils associate-iam-oidc-provider --region us-east-1 --cluster my-cluster --approve

b) Create an IAM Role for the EKS Service Account

eksctl create iamserviceaccount \
  --name secrets-reader \
  --namespace default \
  --cluster my-cluster \
  --attach-policy-arn arn:aws:iam::123456789012:policy/SecretsManagerAccess \
  --approve

Step 3: Use the Secret in Kubernetes Pods

Now, configure your Kubernetes application to retrieve the secret.

1️⃣ Deploy the Kubernetes Service Account

apiVersion: v1
kind: ServiceAccount
metadata:
  name: secrets-reader
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/SecretsManagerAccess

Apply it:

kubectl apply -f service-account.yaml

2️⃣ Deploy a Pod that Reads the Secret

Use the AWS SDK inside your app or inject the secret into an environment variable.

Example Pod Definition:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: secret-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: secret-app
  template:
    metadata:
      labels:
        app: secret-app
    spec:
      serviceAccountName: secrets-reader
      containers:
      - name: app
        image: amazonlinux
        command: ["/bin/sh", "-c"]
        args:
          - |
            yum install -y aws-cli
            while true; do
              echo "Fetching Secret..."
              aws secretsmanager get-secret-value --secret-id my-database-secret --query SecretString --output text
              sleep 10
            done

Apply it:

kubectl apply -f secret-app.yaml

Step 4: Verify That Secrets Are Being Fetched

Check the pod logs:

kubectl logs -f deployment/secret-app

It should print:

{"username":"admin","password":"mysecurepassword"}

🎯 Summary

  1. Store the secret in AWS Secrets Manager.

  2. Create an IAM policy allowing access to the secret.

  3. Attach the policy to an IAM Role for Service Accounts (IRSA).

  4. Create a Kubernetes Service Account linked to the IAM role.

  5. Deploy a Pod that retrieves the secret.

Now, your EKS cluster securely accesses secrets without storing them in Kubernetes!

Updated on
Logics
EKS - Cert Manager