Accessing Secrets from External Secret Manager in Kubernetes

akshayw · February 16, 2023, 7:26am

Need Some help!

I want to integrate AWS secrets manager in our EKS.

One way I tried is Secrets Store CSI Driver (SSCSID). It mounts the secrets directly into Pod.
If we want to set an environment variable using secret then we need to enable the secretSync option of SSCSID, because of which the SSCSID creates a kubernetes secret for my secret data.
This is similar to using the k8s secrets which is base64 encoded.

What I want to have is, the k8s secret should not contain the actual data, it should contain the place-holder, and then the driver/k8s should replace the place-holder with data from aws secrets manager at time of mounting/using the secret inside the pod.

Can anyone please suggest the right way or tool for it?

Thanks

protosam · February 16, 2023, 8:45am

External Secrets is designed to read a secret from a source like AWS Secrets Manager and populate a v1/Secret in the cluster. Preventing someone from reading that secret is just done by using RBAC in the cluster. Conversely using role based access per secret store and limiting roles to specific namespaces opens up the ability to partition your secrets by keyspaces on their names.

This tool works. The alternative is probably to just use role based access in the application to get the secret.

Topic		Replies	Views
Best practice to use AWS Secrets Manager with EKS and rotate regularly General Discussions development	0	822	May 19, 2023
How to secure Kubernetes secrets on bare metal? General Discussions security , on-prem	1	1331	February 24, 2023
How to restrict access to sensitive environment variables in K8S's Pod General Discussions security	4	2836	March 7, 2022
Kubernetes Secret Management for GPU Nodes using CSI on AKS General Discussions	0	327	August 2, 2023
Secrets - Mount paths persist across container redeployments General Discussions	0	511	May 3, 2021

Accessing Secrets from External Secret Manager in Kubernetes

Related topics