To show secrets from AWS Secrets Manager and parameters from AWS Systems Manager Parameter Store as mounted volumes in EKS pods, you can use the AWS Secrets and Configuration Provider (ASCP) for Kubernetes Secrets Store CSI Driver.
With the ASCP, you retrieve secrets or parameters through your pods running on EKS. The values from secrets or parameters are available as projected volumes in your pod. The ASCP retrieves the pod identity and exchanges identity for an IAM role for a Service Account (IRSA). It allows to limiting access to your secrets or parameters to specific pods from a namespace in the EKS cluster.
Optionally, The CSI driver can also sync your mounted secret volumes with native Kubernetes secrets. The volume mount in the pod is required for the sync, and only after that do the native Kubernetes secrets object appears. You can then also populate Environment variables within a pod from Kubernetes secrets.
This section shows examples of how to use secrets from AWS Secrets Manager.
Similar steps are required if you want to use parameters from AWS Systems Manager Parameter Store.
After prerequisites are set up, the workflow is as follows: