Sync secret from AWS Secret Manager to K8S.

Sync secret from AWS Secret Manager to K8S.

COPPER Nguyen

In the previous post, i showed how we synchronize secret from Vault to k8s, today with external-secrets.io i will guide you how to sync secret from AWS Secret Manager to k8s.

I will use minikube for demo purpose, also installing external-secrets using helm . Before working with CLI, i will create a alias kubectl and helm.

alias k=kubectl
alias h=helm

In the context of this post, i will

  • install external secret using helm
  • create a secret on aws , name it k8s-dev/api
  • create a aws iam access key for external secret
  • sync k8s-dev/api to dev namespace on k8s

Install External Secret Operator on K8s.

Install using helm

h repo add external-secrets https://charts.external-secrets.io
h install external-secrets \
   external-secrets/external-secrets \
    -n external-secrets \
    --create-namespace \
    --set installCRDs=true

Create Secret On AWS Secret Manager.

I will create a key-vault secret using aws console. Name it k8s-dev/api, the secret's content is

{
	"PORT": 5000,
	"USERNAME": "hello"
}

Create AWS Iam Key.

For demo purpose, i will create a iam user key that have permission to retrieve every secret started with k8s-dev secret.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "readprefixk8sdev",
      "Action": [
        "secretsmanager:GetResourcePolicy",
        "secretsmanager:GetSecretValue",
        "secretsmanager:DescribeSecret",
        "secretsmanager:ListSecretVersionIds"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:secretsmanager:ap-southeast-1:020213277421:secret:k8s-dev/*"
    }
  ]
}

For me after creating key i got this key pair. (This key will be deleted after done this post, so don't waste your time to copy it).

{
  "aws_access_key_id" = "AKIAQJNGOELWWV2OXODN"
  "aws_secret_access_key" = "iOPJoGK7R2aaqG64fy4WXw8kXGTZ2GmtcWcFdgOc"
}

Create Secret Store on K8S.

I will create a SecretStore crd in dev namespace. Remember to change your key pair.
First create dev namespace.

Create Secret Store crds, i also create a secret to save key pair value.

apiVersion: v1
kind: Secret
metadata:
  name: awssm-secret
  namespace: dev
type: Opaque
stringData:
  access-key-id: AKIAQJNGOELWWV2OXODN
  secret-access-key: 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
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: aws-secretsmanager
  namespace: dev
spec:
  provider:
    aws:
      service: SecretsManager
      region: ap-southeast-1
      auth:
        secretRef:
          accessKeyIDSecretRef:
            name: awssm-secret
            key: access-key-id
          secretAccessKeySecretRef:
            name: awssm-secret
            key: secret-access-key

Using kubectl to create it.

Using kubectl to retrieve this custom resource definition.

Sync Secret to K8S.

Currently on dev namespace, we only have awssm-secret.

Let create another ExternalSecret crd to synchronize k8s-dev/api secret to k8s. The content of api-secret.yaml is like this.

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: api-secret
  namespace: dev
spec:
  refreshInterval: 5s
  secretStoreRef:
    name: aws-secretsmanager
    kind: SecretStore
  target:
    name: api-secret
    creationPolicy: Owner
  dataFrom:
    - extract:
        key: k8s-dev/api

Creating using kubectl

List current secret on dev namespace.

Describe api-secret secret.



Edit secret using AWS Console.

Open aws console update this secret, i will add another field called PASSWORD to this secret.

Save it and wait for 5s, it will be synced to k8s. Describe it again you will see the content was updated

If you want to sync more secret, simply create more ExternalSecret crd. Thank for reading this post.