Integrating Secrets Manager with AWS EKS

In one of my earlier blogs written on — “Securing Secrets with Kubernetes”, many people had asked questions around — Why can’t we use native Cloud services like AWS Secrets Manager or AWS Systems Manager Parameter Store to secure secrets and use AWS SDK to retrieve them on the fly?

You can off-course do that. In-fact, that is one of the multiple ways of handling secrets in Kubernetes. IMHO, your choice of approach depends on the constraints you have while Architecting and Designing your application.

Assuming you are constrained with using AWS Secrets Manager because it supports Encryption at Rest, Secret Rotation and has been pre-approved by your Security Team, this blog provides you enough details on how you can use secrets (managed by AWS Secrets Manager) inside AWS EKS pods.

There are multiple ways of using AWS Secrets Manager service in EKS Pods —

1. Write custom code using AWS SDK and load secrets from the Secret Manager during start-up of the Pod
2. Write custom Kubernetes Controller which shall sync secrets from AWS Secrets Manager with Kubernetes Native Secret objects which can then be leveraged by the Pods via Environment variables or Mounted Volumes
3. Write MutatingAdmissionWebhook to inject Sidecar container into the Application Pod to load secrets from the AWS Secrets Manager which can then be used by the application container using Mounted Volumes approach
4. Using Kubernetes Secrets…