Open main menu
DevSecOps expliquéEtudes de cas
Keltio
Rejoindre le collectif
Comment injecter des secrets de secret manager dans un pod sur Kubernetes EKS

Comment injecter des secrets de secret manager dans un pod sur Kubernetes EKS

Publié le

Do not index
Do not index
Primary Keyword
Lié à Analyse sémantique (Articles liés) 1
Lié à Analyse sémantique (Articles liés)
Statut rédaction
A optimiser SEO
Lié à Analyse sémantique (Articles liés) 2
I. IntroductionII. How to inject secret manager secrets into a pod on Kubernetes EKSCreate secrets in secret managerCreate IAM User to retrieve secretsInstall Kubernetes External Secrets helm chartHow to inject secret manager secrets into a pod on Kubernetes EKSApply the configurationCheck if secret is retrieved correctlyIII. ConclusionIV. References:

I. Introduction

AWS Secret Manager is a central source of truth to store and manage your secrets for your applications. It is recommended to not manually inject secrets to application manually. In this tutorial, we will guide you on how to inject secrets from secret manager into a pod on Kubernetes EKS.

II. How to inject secret manager secrets into a pod on Kubernetes EKS

Create secrets in secret manager

First, we need to to create secrets in AWS secret manager. This can done in many ways: use AWS Management Console, AWS CLI, AWS SDK,..
We will demonstrate how to create secrets with AWS Management Console:
  1. In the Management console, go to Secret manager service
  1. Create secrets for your applications. You can find more guide in here
 

Create IAM User to retrieve secrets

It is recommended to have a specific IAM user to retrieve the secrets from AWS Secrets Manager. Here is the IAM permission policy for the user:
{
    "Version": "Allow",
    "Action": [
        "secretmanager:GetResourcePolicy",
        "secretmanager:GetSecretValue",
        "secretmanager:DescribeSecret",
        "secretmanager:ListSecretVersionIds",
				"secretsmanager:ListSecrets"
    ],
    "Resource": [
        "<Your Secret Manager ARN>:*"
    ]
}

Install Kubernetes External Secrets helm chart

Next, we need to install helm chart
 
helm repo add external-secrets https://charts.external-secrets.io

helm install external-secrets \
   external-secrets/external-secrets \
    -n external-secrets \
    --create-namespace
 

How to inject secret manager secrets into a pod on Kubernetes EKS

Inject secrets of IAM user for authentication to AWS Secret Manager
 
First, place the IAM User credentials into a yaml file, for example, secret-for-aws.yaml
apiVersion: v1
kind: Secret
metadata:
  name: awssm-secret
type: Opaque
data:
  accessKeyID: <Your IAM access key ID in form of base64>
  secretAccessKey: <Your IAM secret access key in form of base64>
 
This approach stores secrets of IAM user into repository in base64. You can also use Bitnami Sealed Secrets if you don’t want to store secrets into repository. The command to perform to do it is like this:
kubeseal --cert=public-key-cert.pem --format=yaml < secret-for-aws.yaml < sealed-secret-for-aws.yaml
 
Create your first SecretStore
Create a file called secret-store.yaml:
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: awssm-secretstore
spec:
  provider:
    aws:
      service: SecretsManager
      region: eu-west-1
      auth:
        secretRef:
          accessKeyIDSecretRef:
            name: awssm-secret
            key: accessKeyID
          secretAccessKeySecretRef:
            name: awssm-secret
            key: secretAccessKey
 
Create your first ExternalSecret
Create a file called external-secret.yaml :
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: awssm-external-secret
spec:
	refreshInternal: 1440m
	secretStoreRef:
		name: awssm-secretstore
		kind: SecretStore
	target:
		name: alias-secret
		creationPolicy: Owner
	data:
		- secretKey: <Your existing secret key #1>
      remoteRef:
				key: alias
				property: <Your existing secret property #1>
		- secretKey: <Your existing secret key #2>
      remoteRef:
				key: alias
				property: <Your existing secret property #2>
 

Apply the configuration

 
kubectl create -f sealed-secret-for-aws.yaml,secret-store.yaml,external-secret.yaml
 

Check if secret is retrieved correctly

Get the retrieved secrets in K8S cluster:
kubectl get secret alias-secret
 
Get the detail of the retrieved secrets in K8S cluster:
kubectl get secret alias-secret -o jsonpath="{.data.second}" | base64 --decode
 

III. Conclusion

Managing secrets can be difficult, especially when managing a Kubernetes cluster. In this tutorial, you have learnt steps to inject secrets from AWS Secret Manager into pod running in AWS EKS. With some steps, the secrets are now automatically injected into pod in a secured way.

IV. References:

 

S'inscrire à la newsletter DevSecOps Keltio

Pour recevoir tous les mois des articles d'expertise du domaine

S'inscrire