Secrets are a piece of sensitive data known as an object. In Kubernetes, a password, a token, or a key is the secret. And it is necessary to manage secrets in Kubernetes. There will be hundreds of secrets, and it will be hard to manage the secrets and life cycles of secrets like creation, storage, rotation, and revocation. Therefore using third-party secrets management tools will ease these issues. External Secrets Operator brings the secrets stored in these tools into your cluster and continues using Kubernetes secrets in your applications. Also, Kubernetes Secret management with the External Secrets Operator will synchronize secrets from external APIs with Kubernetes.

Synchronizing External secrets to the AWS Secrets Manager

Let’s go through the steps for synchronizing a secret from the AWS Secrets Manager to your EKS cluster using the External Secrets Operator.

Prerequisites

Install the External Secrets operator.

Step 1. The command for deploying External Secrets Operator to the EKS cluster using Helm is as follows.

Copy to Clipboard

Step 2. Run the following command to verify external secret operator resources.

Copy to Clipboard

Expected Output is.

Copy to Clipboard

Mapping IAM Role to Service Account (IRSA)

We have to set some configurations to enable the External Secrets Operator to get secrets from AWS Secrets Manager. Use IRSA to manage credentials for your application. And you can map an IAM role to a Kubernetes service account and set up your pods to use this service account. For using IRSA create an IAM OIDC Provider for your EKS cluster.

Step 1. Use the command below to create an OIDC Provider.

Copy to Clipboard

Step 2. Use the eksctl command to create a service account.

Copy to Clipboard

The image below shows an example of a secret with the name test/mc/testSecret created on AWS Secrets Manager.

Kubernetes Secret management with the External Secrets Operator

In the command above, ‘eksctl create iamserviceaccount’ takes an IAM policy arn as an argument, creates an IAM role associated with the given policy, and maps a service account to that role.

Copy to Clipboard

Step 3. Run the command below to verify the service account.

Copy to Clipboard

Expected Output is:

Copy to Clipboard

Synchronizing External Secrets to the AWS Secrets Manager Secret

Next is to create an ExternalSecret and a SecretStore that references AWS Secrets Manager. SecretStore and ExternalSecret are user-friendly wrappers around the external API that store and manage secrets. And the authentication and access management of the external secret store is done by SecretStore CRD.

Step 1. Create SecretStore by running the command:

Copy to Clipboard

Step 2. Run the command below to create ExternalSecret. The Controller will create a secret “spec.target.name”.

Copy to Clipboard

Step 3. Verify the Kubernetes secret using the command:

Copy to Clipboard

The ExternalSecret is synced to the secret stored in AWS Secrets Manager. The controller has already created the Kubernetes Secret, and you can use that secret regularly.

Destroy

Run the following commands to destroy your resources which is mandatory.

Copy to Clipboard

Conclusion

Kubernetes Secret management with the External Secrets Operator helps you to utilize your external secrets. ESO integrates external secrets-management systems such as AWS Secrets Manager, HashiCorp Vault, Google Secret Manager, Azure Key Vault, and many others. And External Secrets Operator synchronizes secrets from external APIs into Kubernetes.

Metclouds Technologies helps you to manage Kubernetes secrets with External Secrets Operator.