Skip to main content

Storing secrets in AWS Secrets Manager

Let's begin by creating a secret in AWS Secrets Manager using the AWS CLI. We'll create a secret that contains JSON-encoded credentials with username and password values:

~$export SECRET_SUFFIX=$(openssl rand -hex 4)
~$export SECRET_NAME="$EKS_CLUSTER_NAME-catalog-secret-${SECRET_SUFFIX}"
~$aws secretsmanager create-secret --name "$SECRET_NAME" \
  --secret-string '{"username":"catalog", "password":"dYmNfWV4uEvTzoFu"}' --region $AWS_REGION
{
    "ARN": "arn:aws:secretsmanager:us-west-2:1234567890:secret:eks-workshop-catalog-secret-WDD8yS",
    "Name": "eks-workshop-catalog-secret-WDD8yS",
    "VersionId": "7e0b352d-6666-4444-aaaa-cec1f1d2df1b"
}


note
We're generating a unique suffix for our secret name using openssl to ensure it doesn't conflict with any existing secrets in your account.


You can verify that the secret was created successfully by checking either the AWS Secrets Manager Console or using the AWS CLI. Let's use the CLI to examine the secret's metadata:


~$aws secretsmanager describe-secret --secret-id "$SECRET_NAME"
{
    "ARN": "arn:aws:secretsmanager:us-west-2:1234567890:secret:eks-workshop-catalog-secret-WDD8yS",
    "Name": "eks-workshop-catalog-secret-WDD8yS",
    "LastChangedDate": "2023-10-10T20:44:51.882000+00:00",
    "VersionIdsToStages": {
        "94d1fe43-87f5-42fb-bf28-f6b090f0ca44": [
            "AWSCURRENT"
        ]
    },
    "CreatedDate": "2023-10-10T20:44:51.439000+00:00"
}


Now that we've successfully created a secret in AWS Secrets Manager, we'll use it in our Kubernetes applications in the next sections.