Kubernetes Architecture

Using AWS Secrets Manager with ExternalSecrets in an EKS Cluster

Kashiff's photo
Kashiff
·

3 min read

Table of contents

Managing sensitive information like API keys, database credentials, and other secrets securely is crucial for modern cloud-native applications. AWS Secrets Manager simplifies storing and retrieving secrets, while tools like ExternalSecrets seamlessly integrate secrets into Kubernetes clusters. This blog post will guide you through using AWS Secrets Manager with ExternalSecrets in an Amazon Elastic Kubernetes Service (EKS) cluster.

Prerequisites

Before diving into the setup, ensure you have the following:

  1. AWS Account with IAM permissions to create and manage Secrets Manager secrets.

  2. EKS Cluster up and running.

  3. kubectl CLI configured to interact with your EKS cluster.

  4. Helm CLI installed for managing Kubernetes applications.

  5. AWS CLI configured with access to your AWS account.

Step 1: Creating a Secret in AWS Secrets Manager

  1. Navigate to the AWS Management Console and go to Secrets Manager.

  2. Click on Store a new secret.

  3. Choose Other type of secret, and enter the key-value pairs for your secret. For example:

    • Key: dbPassword

    • Value: supersecretpassword

  4. Click Next and provide a name for your secret, such as MyAppSecret.

  5. Complete the process by clicking Store.

Step 2: Installing ExternalSecrets in EKS

ExternalSecrets allows Kubernetes to access secrets stored in external systems like AWS Secrets Manager.

2.1 Add the ExternalSecrets Helm Repository

helm repo add external-secrets https://charts.external-secrets.io
helm repo update

2.2 Install ExternalSecrets

helm install external-secrets external-secrets/external-secrets -n external-secrets --create-namespace

Verify the installation:

kubectl get pods -n external-secrets

You should see the ExternalSecrets controller pod running.

Step 3: Configuring AWS IAM Permissions

ExternalSecrets requires permissions to access AWS Secrets Manager. Create an IAM policy with the following permissions:

3.1 IAM Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "arn:aws:secretsmanager:<region>:<account-id>:secret:MyAppSecret"
        }
    ]
}

3.2 IAM Role and Service Account

Use eksctl to associate the IAM policy with a Kubernetes service account:

eksctl create iamserviceaccount \
  --name external-secrets-sa \
  --namespace external-secrets \
  --cluster <your-cluster-name> \
  --attach-policy-arn arn:aws:iam::<account-id>:policy/<policy-name> \
  --approve \
  --override-existing-serviceaccounts \
  --attach-policy-arn arn:aws:iam::<account-id>:policy/<policy-name> \
  --approve \
  --override-existing-serviceaccounts

Step 4: Creating an ExternalSecret Resource

Define an ExternalSecret resource to map the AWS Secrets Manager secret to a Kubernetes secret.

4.1 Create a Cluster Secret Store

apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: aws-secrets-store
spec:
  conditions:
    - namespaces:
        - "default"
        - "external-secrets"
  provider:
    aws:
      service: SecretsManager
      region: us-west-2
      auth:
        jwt:
          serviceAccountRef:
            name: external-secrets-sa
            namespace: external-secrets

Apply the SecretStore:

kubectl apply -f secretstore.yaml

4.2 Create an ExternalSecret

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: myapp-secret
  namespace: external-secrets
spec:
  secretStoreRef:
    name: aws-secrets-store
    kind: ClusterSecretStore
  target:
    name: myapp-secret
  data:
  - secretKey: dbPassword
    remoteRef:
      key: MyAppSecret
      property: dbPassword

Apply the ExternalSecret:

kubectl apply -f externalsecret.yaml

Step 5: Verifying the Secret in Kubernetes

Once the ExternalSecret resource is applied, verify that the Kubernetes secret has been created:

kubectl get secret myapp-secret -o yaml

You should see the base64-encoded value of the secret.

Step 6: Using the Secret in a Kubernetes Deployment

Update your application deployment to use the secret:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp
  namespace: external-secrets
spec:
  replicas: 1
  selector:
    matchLabels:
      app: myapp
  template:
    metadata:
      labels:
        app: myapp
    spec:
      containers:
      - name: myapp
        image: myapp-image
        env:
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: myapp-secret
              key: dbPassword

Apply the deployment:

kubectl apply -f deployment.yaml

Conclusion

With AWS Secrets Manager and ExternalSecrets, securely managing secrets in Kubernetes clusters becomes seamless. This setup ensures that sensitive data is never hardcoded into configurations, enhancing security and compliance.

AWS