AWS EKS & Secrets Manager (File & Env | Kubernetes | Secrets Store CSI Driver | K8s)



AWS Secrets Manager lets you securely retrieve secrets for use in your Amazon EKS Kubernetes pods.

☕ – Buy me a coffee: https://www.buymeacoffee.com/antonputra
🤝 – Add me on LinkedIn: https://www.linkedin.com/in/anton-putra

Related Videos
– AWS Lambda Secrets Manager Example: 2 Ways to Grant Access | Resource Permissions: https://youtu.be/_VI2JkSo3DY
– EKS Cluster Auto Scaling (Kubernetes Autoscaler | EKS Cluster Autoscaler | EKS Autoscale Nodes): https://youtu.be/gwmdboC-BtE

=========
⏱️TIMESTAMPS⏱️
0:00 Intro
0:43 Create IAM User with Full Access
1:20 Create Secret in AWS Secrets Manager
2:32 Create EKS Cluster Using eksctl
3:59 Create IAM OIDC Provider for EKS
4:58 Create IAM Policy to Read Secrets
5:42 Create IAM Role for a Kubernetes Service Account
6:14 Associate an IAM Role with Kubernetes Service Account
7:51 Install the Kubernetes Secrets Store CSI Driver
10:51 Install AWS Secrets & Configuration Provider (ASCP)
12:20 Create Secret Provider Class
13:07 Demo

=========
Source Code
🖥️ – GitHub: https://github.com/antonputra/tutorials/tree/main/lessons/079

=========
SOCIAL
🎙 – Twitter: https://twitter.com/antonvputra
📨 – Email: me@antonputra.com

#EKS #SecretsManager #AWS

source

22 thoughts on “AWS EKS & Secrets Manager (File & Env | Kubernetes | Secrets Store CSI Driver | K8s)”
  1. Hi Anton, a huge thanks for the great step by step demo, but can you confirm if we can integrate the secrets manager with a k8s cluster running on an on-prem server.
    You mentioned at 4:10 that we just need to create a service account without creating a OIDC provider ID, but it is failing when we create it.

  2. Hi.
    At first really great video which is really helpfull.

    I do have a question which i am unlucky to find any answer to it.

    It is possible to take values from the SecretManager/Parameter store which are in Key-Value format and store them into a specific file?
    For example taking values from multiple SecretManager endpoints and mount as single file without using an init/side container to perform it as part of script?

    I know that it is possible with hashicorp vault just not sure if it is possible with this also.

    Thanks 🙂

  3. Nice informative content. I am trying to create environment variable but it says that the k8s secret is not created in the first place. Though I can view the secret value if I just mount the secret in filesystem.

  4. great work, just a small note if you accept it, the music is very loud and made me lost focus many times

  5. Thanks a lot for step by step implementation tutorial. I manage to mount secret as environment variable in container. But, if I update secret value in secret manager; updated value doesn't show on container.

  6. Problem with AWS Secrets Store driver is that you cannot pass multiple key=value pairs into the k8s secret. What's more, in your example you are passing key=value as an ENV value, not the value itself. To pass only the value you need to create secret in Secret Manager as a plaintext containing the secret value only.

  7. Thank you for explanation.
    Is it possible to create a k8s cluster on EC2 instance and then use aws csi driver provider ? Also can we use it with clusters outside aws ?

  8. Thanks a lot for the great video. I was looking for something similar. Just wondering if these works the same way for eks fargate as well ?

  9. Great Video You are doing great Job, my Question is it is giving json out put (Key/Value) instead of Environment Variable (Value) which is expected, how can I resolve this for my Application? kindly suggest thanks

  10. This is a great step-by-step video, Anton. The github repo is very useful, Thank you! May I just ask, when I update the secret in aws, I can see that it updates the value in /mnt/api-token/secret-token when I restart the pod. However, the environment variable still seems to retain the old value. Would you know if this is expected? And if yes, would you have suggestions on how to keep the secret in-sync? Again, this is a very useful tutorial, thank you.

  11. Thank you Very much for the this Video. It really saved my day. I was trying to set environment variable from the Secrets but it was not going well. Your hint in the ClusterRole really helped to solve the problem. Much Appreciated.

  12. Hi Anton, Thank you for the detailed explanation. Could you confirm if Secrets Store CSI Driver works on managed EKS cluster created on fargate as you have created few daemonset yaml files?

  13. This works perfectly fine for me when I tried following your solution but I am seeing AccessDeniedException: User: arn:aws:sts::<ACCUNT-ID>:assumed-role/dev-eks-irsa/secrets-store-csi-driver-provider-aws is not authorized to perform: secretsmanager:GetSecretValue on resource: dev/service/token, For testing I added AministratorAccess permission and it worked but then I manually deleted the POD and it is trying to mount the volume and started seeing that error back. Not sure why?

  14. Hello Sir

    I have one question

    I have hosted the Docker Image in the ECS

    My Jenkins server will push the Docker Images into the ECS

    Now in every 24 hours the ECS Secrete token will expires and I need to add the new Token every time manually

    Is there is any method in AWS So that My ECS Token will updates automatically inside the Jenkins server so that I don't provide the credentials every-time

  15. ⏱️TIMESTAMPS⏱️
    0:00 Intro
    0:43 Create IAM User with Full Access
    1:20 Create Secret in AWS Secrets Manager
    2:32 Create EKS Cluster Using eksctl
    3:59 Create IAM OIDC Provider for EKS
    4:58 Create IAM Policy to Read Secrets
    5:42 Create IAM Role for a Kubernetes Service Account
    6:14 Associate an IAM Role with Kubernetes Service Account
    7:51 Install the Kubernetes Secrets Store CSI Driver
    10:51 Install AWS Secrets & Configuration Provider (ASCP)
    12:20 Create Secret Provider Class
    13:07 Demo

Leave a Reply

Your email address will not be published.

Captcha loading...