Mounting secrets from AWS Secrets Manager

To show secrets from AWS Secrets Manager and parameters from AWS Systems Manager Parameter Store as mounted volumes in EKS pods, you can use the AWS Secrets and Configuration Provider (ASCP) for Kubernetes Secrets Store CSI Driver.

With the ASCP, you retrieve secrets or parameters through your pods running on EKS. The values from secrets or parameters are available as projected volumes in your pod. The ASCP retrieves the pod identity and exchanges identity for an IAM role for a Service Account (IRSA). It allows to limiting access to your secrets or parameters to specific pods from a namespace in the EKS cluster.

Optionally, The CSI driver can also sync your mounted secret volumes with native Kubernetes secrets. The volume mount in the pod is required for the sync, and only after that do the native Kubernetes secrets object appears. You can then also be able to populate Environment variables within a pod from Kubernetes secrets.

This section shows examples of how to use secrets from AWS Secrets Manager.

Similar steps are required if you want to use parameters from AWS Systems Manager Parameter Store.

After prerequisites are set up, the workflow is as follows:

  1. Create a secret with the AWS Secrets Manager.
  2. Create an IAM policy to retrieve a secret from the AWS Secrets Manager.
  3. Use IRSA to limit secret access to your pods in a specific namespace.
  4. Create and deploy SecretProviderClass custom resource and by using provider: aws
  5. Deploy your pods to mount the volumes based on SecretProviderClass configured earlier.
  6. Access secrets within the container from the mounted volumes.
  7. (Optional) Sync your secrets from mounted volumes to the native Kubernetes secrets object.
  8. (Optional) Set up Environment variables in the pod, by selecting a specific key of your secret.