I. Introduction

AWS Secret Manager is a central source of truth to store and manage your secrets for your applications. It is recommended to not manually inject secrets to application manually. In this tutorial, we will guide you on how to inject secrets from secret manager into a pod on Kubernetes EKS.

II. How to inject secret manager secrets into a pod on Kubernetes EKS

Create secrets in secret manager

First, we need to to create secrets in AWS secret manager. This can done in many ways: use AWS Management Console, AWS CLI, AWS SDK,..

We will demonstrate how to create secrets with AWS Management Console:

1. In the Management console, go to Secret manager service
2. Create secrets for your applications. You can find more guide in here

Create IAM User to retrieve secrets

It is recommended to have a specific IAM user to retrieve the secrets from AWS Secrets Manager. Here is the IAM permission policy for the user:

{
    "Version": "Allow",
    "Action": [
        "secretmanager:GetResourcePolicy",
        "secretmanager:GetSecretValue",
        "secretmanager:DescribeSecret",
        "secretmanager:ListSecretVersionIds",
				"secretsmanager:ListSecrets"
    ],
    "Resource": [
        "<Your Secret Manager ARN>:*"
    ]
}

Install Kubernetes External Secrets helm chart

Next, we need to install helm chart

helm repo add external-secrets <https://charts.external-secrets.io>

helm install external-secrets \\
   external-secrets/external-secrets \\
    -n external-secrets \\
    --create-namespace

How to inject secret manager secrets into a pod on Kubernetes EKS

Inject secrets of IAM user for authentication to AWS Secret Manager