In the previous post, i showed how we synchronize secret from Vault
to k8s, today with external-secrets.io i will guide you how to sync secret from AWS Secret Manager
to k8s.
I will use minikube
for demo purpose, also installing external-secrets
using helm
. Before working with CLI, i will create a alias kubectl
and helm
.
alias k=kubectl
alias h=helm
In the context of this post, i will
- install
external secret
usinghelm
- create a secret on
aws
, name itk8s-dev/api
- create a
aws iam access key
forexternal secret
- sync
k8s-dev/api
todev
namespace onk8s
Install External Secret Operator on K8s.
Install using helm
h repo add external-secrets https://charts.external-secrets.io
h install external-secrets \
external-secrets/external-secrets \
-n external-secrets \
--create-namespace \
--set installCRDs=true
![](https://blog.shiftasia.com/content/images/2023/04/image.png)
![](https://blog.shiftasia.com/content/images/2023/04/image-1.png)
Create Secret On AWS Secret Manager.
I will create a key-vault
secret using aws console
. Name it k8s-dev/api
, the secret's content is
{
"PORT": 5000,
"USERNAME": "hello"
}
![](https://blog.shiftasia.com/content/images/2023/04/image-2.png)
![](https://blog.shiftasia.com/content/images/2023/04/Screenshot-2023-04-10-at-15.17.17.png)
Create AWS Iam Key.
For demo purpose, i will create a iam user key that have permission to retrieve every secret started with k8s-dev
secret.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "readprefixk8sdev",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:ap-southeast-1:020213277421:secret:k8s-dev/*"
}
]
}
For me after creating key i got this key pair. (This key will be deleted after done this post, so don't waste your time to copy it).
{
"aws_access_key_id" = "AKIAQJNGOELWWV2OXODN"
"aws_secret_access_key" = "iOPJoGK7R2aaqG64fy4WXw8kXGTZ2GmtcWcFdgOc"
}
Create Secret Store on K8S.
I will create a SecretStore
crd in dev
namespace. Remember to change your key pair.
First create dev
namespace.
![](https://blog.shiftasia.com/content/images/2023/04/image-3.png)
Create Secret Store
crds, i also create a secret to save key pair value.
apiVersion: v1
kind: Secret
metadata:
name: awssm-secret
namespace: dev
type: Opaque
stringData:
access-key-id: AKIAQJNGOELWWV2OXODN
secret-access-key: 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
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: aws-secretsmanager
namespace: dev
spec:
provider:
aws:
service: SecretsManager
region: ap-southeast-1
auth:
secretRef:
accessKeyIDSecretRef:
name: awssm-secret
key: access-key-id
secretAccessKeySecretRef:
name: awssm-secret
key: secret-access-key
Using kubectl
to create it.
![](https://blog.shiftasia.com/content/images/2023/04/image-4.png)
Using kubectl
to retrieve this custom resource definition.
![](https://blog.shiftasia.com/content/images/2023/04/image-5.png)
Sync Secret to K8S.
Currently on dev
namespace, we only have awssm-secret
.
![](https://blog.shiftasia.com/content/images/2023/04/image-6.png)
Let create another ExternalSecret
crd to synchronize k8s-dev/api
secret to k8s. The content of api-secret.yaml
is like this.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: api-secret
namespace: dev
spec:
refreshInterval: 5s
secretStoreRef:
name: aws-secretsmanager
kind: SecretStore
target:
name: api-secret
creationPolicy: Owner
dataFrom:
- extract:
key: k8s-dev/api
Creating using kubectl
![](https://blog.shiftasia.com/content/images/2023/04/image-7.png)
List current secret on dev
namespace.
![](https://blog.shiftasia.com/content/images/2023/04/image-9.png)
Describe api-secret
secret.
![](https://blog.shiftasia.com/content/images/2023/04/image-10.png)
Edit secret using AWS Console.
Open aws console
update this secret, i will add another field called PASSWORD
to this secret.
![](https://blog.shiftasia.com/content/images/2023/04/Screenshot-2023-04-10-at-15.50.20.png)
Save it and wait for 5s, it will be synced to k8s. Describe it again you will see the content was updated
![](https://blog.shiftasia.com/content/images/2023/04/image-11.png)
If you want to sync more secret, simply create more ExternalSecret
crd. Thank for reading this post.