Secrets are a piece of sensitive data known as an object. In Kubernetes, a password, a token, or a key is the secret. And it is necessary to manage secrets in Kubernetes. There will be hundreds of secrets, and it will be hard to manage the secrets and life cycles of secrets like creation, storage, rotation, and revocation. Therefore using third-party secrets management tools will ease these issues. External Secrets Operator brings the secrets stored in these tools into your cluster and continues using Kubernetes secrets in your applications. Also, Kubernetes Secret management with the External Secrets Operator will synchronize secrets from external APIs with Kubernetes.
Synchronizing External secrets to the AWS Secrets Manager
Let’s go through the steps for synchronizing a secret from the AWS Secrets Manager to your EKS cluster using the External Secrets Operator.
Prerequisites
Install the External Secrets operator.
Step 1. The command for deploying External Secrets Operator to the EKS cluster using Helm is as follows.
Step 2. Run the following command to verify external secret operator resources.
Expected Output is.
Mapping IAM Role to Service Account (IRSA)
We have to set some configurations to enable the External Secrets Operator to get secrets from AWS Secrets Manager. Use IRSA to manage credentials for your application. And you can map an IAM role to a Kubernetes service account and set up your pods to use this service account. For using IRSA create an IAM OIDC Provider for your EKS cluster.
Step 1. Use the command below to create an OIDC Provider.
Step 2. Use the eksctl command to create a service account.
The image below shows an example of a secret with the name test/mc/testSecret created on AWS Secrets Manager.
In the command above, ‘eksctl create iamserviceaccount’ takes an IAM policy arn as an argument, creates an IAM role associated with the given policy, and maps a service account to that role.
Step 3. Run the command below to verify the service account.
Expected Output is:
Synchronizing External Secrets to the AWS Secrets Manager Secret
Next is to create an ExternalSecret and a SecretStore that references AWS Secrets Manager. SecretStore and ExternalSecret are user-friendly wrappers around the external API that store and manage secrets. And the authentication and access management of the external secret store is done by SecretStore CRD.
Step 1. Create SecretStore by running the command:
Step 2. Run the command below to create ExternalSecret. The Controller will create a secret “spec.target.name”.
Step 3. Verify the Kubernetes secret using the command:
The ExternalSecret is synced to the secret stored in AWS Secrets Manager. The controller has already created the Kubernetes Secret, and you can use that secret regularly.
Destroy
Run the following commands to destroy your resources which is mandatory.
Conclusion
Kubernetes Secret management with the External Secrets Operator helps you to utilize your external secrets. ESO integrates external secrets-management systems such as AWS Secrets Manager, HashiCorp Vault, Google Secret Manager, Azure Key Vault, and many others. And External Secrets Operator synchronizes secrets from external APIs into Kubernetes.
Metclouds Technologies helps you to manage Kubernetes secrets with External Secrets Operator.