Accessing Secrets from External Secret Manager in Kubernetes

Need Some help!

I want to integrate AWS secrets manager in our EKS.

One way I tried is Secrets Store CSI Driver (SSCSID). It mounts the secrets directly into Pod.
If we want to set an environment variable using secret then we need to enable the secretSync option of SSCSID, because of which the SSCSID creates a kubernetes secret for my secret data.
This is similar to using the k8s secrets which is base64 encoded.

What I want to have is, the k8s secret should not contain the actual data, it should contain the place-holder, and then the driver/k8s should replace the place-holder with data from aws secrets manager at time of mounting/using the secret inside the pod.

Can anyone please suggest the right way or tool for it?


External Secrets is designed to read a secret from a source like AWS Secrets Manager and populate a v1/Secret in the cluster. Preventing someone from reading that secret is just done by using RBAC in the cluster. Conversely using role based access per secret store and limiting roles to specific namespaces opens up the ability to partition your secrets by keyspaces on their names.

This tool works. The alternative is probably to just use role based access in the application to get the secret.